Chapter 4. Windows NT Domains

In previous chapters, we've focused on workgroup networking to keep things simple and introduce you to networking with Samba in the most painless manner we could find. However, workgroup computing has its drawbacks, and for many computing environments, the greater security and single logon of the Windows NT domain make it worthwhile to spend the extra effort to implement a domain.

In addition to the domain features of that we discussed in Chapter 1, having a domain makes it possible to use logon scripts and roaming profiles (also called roving profiles ). A logon script is a text file of commands that are run during startup, and a profile is a collection of information regarding the desktop environment, including the contents of the Start menu, icons that appear on the desktop, and other characteristics about the GUI environment that users are allowed to customize. A roaming profile can follow its owner from computer to computer, allowing her to have the same familiar interface appear wherever she logs on.

A Windows NT domain offers centralized control over the network. Policies can be set up by an administrator to define aspects of the users' environment and limit the amount of control they have over the network and their computers. It is also possible for administrators to perform remote administration of the domain controllers from any Windows NT/2000/XP workstation.

Samba 2.2 has the ability to act as a primary domain controller, supporting domain logons from Windows 95/98/Me/NT/2000/XP computers and allowing Windows NT/2000/XP ^[1] systems to join the domain as domain member servers. Samba can also join a domain as a member server, allowing the primary domain controller to be a Windows NT/2000 system or another Samba server.

^[1] When we include Windows XP in discussions of Windows NT domains in this book, we are referring to Windows XP Professional and not to the Home edition. The reason for this is explained in the section on Windows XP later in this chapter.

Samba 2.2 does not support LDAP and Kerberos authentication of Active Directory, so it cannot act as a Windows 2000 Active Directory domain controller. However, Samba can be added to an Active Directory domain as a member server, with the Windows 2000 domain controllers running in either mixed or native mode. The Windows 2000 server (even if it is running in native mode) supports the Samba server by acting as a PDC emulator, using the Windows NT style of authentication rather than the Kerberos style.

If you're adding a Samba server to a network that has already been set up, you won't have to decide whether to use a workgroup or a domain; you will simply have to be compatible with what's already in place. If you do have a choice, we suggest you evaluate both workgroup and domain computing carefully before rolling out a big installation. You will have a lot of work to do if you later need to convert one to the other. One last thought on this matter is that Microsoft is developing Windows in the direction of increased use of domains and is intending that eventually Windows networks be composed solely of Active Directory domains. If you implement a Windows NT domain now, you'll be in a better position to transition to Active Directory later, after Samba has better support for it.

In this chapter, we cover various topics directly related to using Samba in a Windows NT domain, including:

• Configuring and using Samba as the primary domain controller

• Setting up Windows 95/98/Me systems to log on to the domain

• Implementing user -level security on Windows 95/98/Me

• Adding Windows NT/2000/XP systems to the domain

• Configuring logon scripts, roaming profiles, and system policies

• Adding a Samba server to a domain as a member server