Recipe 23.12. Building a Primary Domain Controller with Samba

23.12.1 Problem

You want to set up a Samba primary domain controller for your LAN to provide domain authentication.

23.12.2 Solution

A domain controller provides a single central password database, so once users log in, they have access to domain resources without having to reauthenticate themselves as they access file or printer shares in the domain. The hardworking sysadmin can also easily lock out users, if necessary.

Because file and printer shares are configured centrally on the Samba server, access to shares is easy to manage. Unlike in a peer network, the sysadmin has complete control of network shares.

Windows XP Home cannot join any domain neither a Windows domain, nor a Samba domain. Windows NT 3.x does not support encrypted passwords, so you cannot join NT 3.x clients to a normal Samba domain. The best choices for domain clients are Windows 2000 and XP Pro.

There are five steps to the setup process:

1. Install Samba.

2. Configure smb.conf.

3. Create user and machine accounts.

4. Create directories.

5. Fire it up and connect clients for testing.

Installing Samba is the easy part. You can install from sources or packages, whatever you prefer.

Here is a complete, minimal smb.conf for your new domain controller. This configures authentication and users' homes shares. It does not define file or printer shares. The workgroup name becomes your new domain name:

[global]    workgroup = holstein    netbios name = windbag    server string = Samba PDC    domain master = yes    os level = 64    preferred master = yes    local master = yes    domain logons = yes    logon script = netlogon.bat        security = user    encrypt passwords = yes    log file = /var/log/samba/log    log level = 2    max log size = 50    hosts allow = 192.168.1.     [netlogon]    comment = Network Logon Service    path = /var/samba/netlogon    guest ok = Yes    browseable = No     [homes]    comment = User's Home Directories    valid users = %S    browseable = no    writeable = yes

See the "Discussion" section of this recipe for a copy of the logon script, netlogon.bat.

Save and close smb.conf, then run testparm to check for syntax errors:

# testparm

Then restart Samba.

Next, create these administrative groups, using system group numbers:

# groupadd -g 112 sadmins # groupadd -g 113 machines

Then create the netlogon directory:

# mkdir -m 0775 /var/samba/netlogon # chown root.sadmins /var/samba/netlogon

Each PC in your new Samba domain must have a machine account. First, create Linux accounts on the Samba server for every PC. The dollar sign indicates that this is a "trust," or machine, account:

# useradd -g machines -d /dev/null -c "stinkpad" -s /bin/false stinkpad$ # passwd -l stinkpad$

Then add each account to the Samba password database. Leave the dollar sign off the machine name:

# smbpasswd -a -m stinkpad Added user stinkpad$.

Finally, create a root account on Samba with smbpasswd. You need this every time you join a new Windows NT/2000/XP machine to the domain, because you must make your first domain login as the Samba root user. Don't forget to do this, or your Windows NT/2000/XP PCs will not be able to join the domain.

Log in to the domain as soon as possible, in order to synchronize with the server and to prevent someone else from possibly hijacking the account. stinkpad and Samba will exchange authentication tokens, so that Samba will always recognize stinkpad. That is where the "trust" happens.

The steps for joining clients running different versions of Windows to a Samba domain are all different; see the next three recipes to learn how.

23.12.3 Discussion

There are a couple of easy tests you can run to confirm that your Samba domain controller is working. First, always run testparm:

$ testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Processing section "[homes]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC

Server role: ROLE_DOMAIN_PDC is the line you want to see. Then run smbtree on the server:

$ smbtree -N  added interface ip=192.168.1.5 bcast=192.168.1.255 nmask=255.255.255.0 Got a positive name query response from 192.168.1.5 ( 192.168.1.5 ) Got a positive name query response from 192.168.1.5 ( 192.168.1.5 ) HOLSTEIN Got a positive name query response from 192.168.1.5 ( 192.168.1.5 )         \\WINDBAG                       Samba PDC

To test connectivity, run smbtree from another Linux host on the LAN.

This is a bare-bones configuration. You can easily add file and printer shares as you need, just like for any Samba server.

The netlogon share contains a script that is automatically downloaded to Windows clients. It mounts the users' homes shares on their local Z drives. This is the whole script:

REM NETLOGON.BAT net use z: \\linux\samba /yes

Be sure to name it netlogon.bat, and store it in /var/samba/netlogon.

These are the directives that tell Samba it is a primary domain controller (PDC):

domain master = yes os level = 64 preferred master = yes local master = yes domain logons = yes

Remember, There Can Be Only One don't put two PDCs on the same domain, or nothing will work right. You may have multiple Samba file servers, but only one PDC.

23.12.4 See Also

• smb.conf(5)

• Chapter 4 of The Official Samba-3 HOWTO and Reference Guide