Previous Section  < Day Day Up >  Next Section

Recipe 23.12. Building a Primary Domain Controller with Samba

23.12.1 Problem

You want to set up a Samba primary domain controller for your LAN to provide domain authentication.

23.12.2 Solution

A domain controller provides a single central password database, so once users log in, they have access to domain resources without having to reauthenticate themselves as they access file or printer shares in the domain. The hardworking sysadmin can also easily lock out users, if necessary.

Because file and printer shares are configured centrally on the Samba server, access to shares is easy to manage. Unlike in a peer network, the sysadmin has complete control of network shares.

Windows XP Home cannot join any domain—neither a Windows domain, nor a Samba domain. Windows NT 3.x does not support encrypted passwords, so you cannot join NT 3.x clients to a normal Samba domain. The best choices for domain clients are Windows 2000 and XP Pro.


There are five steps to the setup process:

  1. Install Samba.

  2. Configure smb.conf.

  3. Create user and machine accounts.

  4. Create directories.

  5. Fire it up and connect clients for testing.

Installing Samba is the easy part. You can install from sources or packages, whatever you prefer.

Here is a complete, minimal smb.conf for your new domain controller. This configures authentication and users' homes shares. It does not define file or printer shares. The workgroup name becomes your new domain name:

[global]

   workgroup = holstein

   netbios name = windbag

   server string = Samba PDC

   domain master = yes

   os level = 64

   preferred master = yes

   local master = yes

   domain logons = yes

   logon script = netlogon.bat

   

   security = user

   encrypt passwords = yes

   log file = /var/log/samba/log

   log level = 2

   max log size = 50

   hosts allow = 192.168.1.

   

[netlogon]

   comment = Network Logon Service

   path = /var/samba/netlogon

   guest ok = Yes

   browseable = No

   

[homes]

   comment = User's Home Directories

   valid users = %S

   browseable = no

   writeable = yes

See the "Discussion" section of this recipe for a copy of the logon script, netlogon.bat.

Save and close smb.conf, then run testparm to check for syntax errors:

# testparm

Then restart Samba.

Next, create these administrative groups, using system group numbers:

# groupadd -g 112 sadmins

# groupadd -g 113 machines

Then create the netlogon directory:

# mkdir -m 0775 /var/samba/netlogon

# chown root.sadmins /var/samba/netlogon

Each PC in your new Samba domain must have a machine account. First, create Linux accounts on the Samba server for every PC. The dollar sign indicates that this is a "trust," or machine, account:

# useradd -g machines -d /dev/null -c "stinkpad" -s /bin/false stinkpad$

# passwd -l stinkpad$

Then add each account to the Samba password database. Leave the dollar sign off the machine name:

# smbpasswd -a -m stinkpad

Added user stinkpad$.

Finally, create a root account on Samba with smbpasswd. You need this every time you join a new Windows NT/2000/XP machine to the domain, because you must make your first domain login as the Samba root user. Don't forget to do this, or your Windows NT/2000/XP PCs will not be able to join the domain.

Log in to the domain as soon as possible, in order to synchronize with the server and to prevent someone else from possibly hijacking the account. stinkpad and Samba will exchange authentication tokens, so that Samba will always recognize stinkpad. That is where the "trust" happens.

The steps for joining clients running different versions of Windows to a Samba domain are all different; see the next three recipes to learn how.

23.12.3 Discussion

There are a couple of easy tests you can run to confirm that your Samba domain controller is working. First, always run testparm:

$ testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[netlogon]"

Processing section "[homes]"

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Server role: ROLE_DOMAIN_PDC is the line you want to see. Then run smbtree on the server:

$ smbtree -N 

added interface ip=192.168.1.5 bcast=192.168.1.255 nmask=255.255.255.0

Got a positive name query response from 192.168.1.5 ( 192.168.1.5 )

Got a positive name query response from 192.168.1.5 ( 192.168.1.5 )

HOLSTEIN

Got a positive name query response from 192.168.1.5 ( 192.168.1.5 )

        \\WINDBAG                       Samba PDC

To test connectivity, run smbtree from another Linux host on the LAN.

This is a bare-bones configuration. You can easily add file and printer shares as you need, just like for any Samba server.

The netlogon share contains a script that is automatically downloaded to Windows clients. It mounts the users' homes shares on their local Z drives. This is the whole script:

REM NETLOGON.BAT

net use z: \\linux\samba /yes

Be sure to name it netlogon.bat, and store it in /var/samba/netlogon.

These are the directives that tell Samba it is a primary domain controller (PDC):

domain master = yes

os level = 64

preferred master = yes

local master = yes

domain logons = yes

Remember, There Can Be Only One—don't put two PDCs on the same domain, or nothing will work right. You may have multiple Samba file servers, but only one PDC.

23.12.4 See Also

  • smb.conf(5)

  • Chapter 4 of The Official Samba-3 HOWTO and Reference Guide

    Previous Section  < Day Day Up >  Next Section