Build A Primary Domain Controller With Samba

Tuesday Jul 10th 2007 by Carla Schroder

With Samba as your network's Primary Domain Controller, you can provide single sign-on authentication, roaming profiles, and more on an inexpensive platform.

Managing heterogenous networks is one of the bigger challenges facing the harried network administrator. Users want what they want: Linux/UNIX, the many Windows variants, OS/2, Macintosh, OS X, who knows what else. Bringing cooperation and harmony to all of these incompatible platforms is made possible by Samba.

Samba is the Open Source implementation of the SMB/CIFS (server messaging block/ common Internet file system) protocols. CIFS is an evolution of SMB, capable not only of enabling file and printer sharing across different platforms, over various transport protocols, but is also a transport protocol itself. (See the SNIA link below for all the gory, yet fascinating details.) Samba is most commonly used to enable file and printer sharing between Windows clients and Linux/UNIX servers. As a file server, it ranks at the top of the class, outperforming Windows NT/2000 handily, both in speed and reliability.

Domain Controller

Microsoft's concept of a Primary Domain Controller is most useful, as it simplifies a number of network administration chores. It provides a "single sign-on", storing information about domain users, and providing user authentication. User's profiles are stored on the PDC; the PDC handles all authentication requests, allowing users to access different services in the domain without needing multiple authentications.

Samba makes a fine NT-type PDC. It supports roaming profiles, domain logon from all Windows clients, Windows NT4-type system policies, name services, master browser, and user-level security for Windows 9x/ME clients. Which in my opinion do not belong in a business environment, but if they're there and you have to deal with them, Samba doesn't mind in the least.

Samba cannot act as a Backup Domain Controller to a Windows PDC. There is a way to use two Samba machines as PDC/BDC. (See Resources) As a belt-n-suspenders kinda gal, some kind of redundancy is essential.

System Requirements

Samba runs on just about any Linux or UNIX, including Mac OS X, OS/2, AmigaDOS, and Netware. For this article I'm using Red Hat Linux 7.2 and Samba 2.2.3a. The current stable version is 2.2.4. It pays to start with the latest stable version, as the Samba team continually adds improvements and bugfixes. Samba 3.0 adds native connectivity with Microsoft's Active Directory, support for Microsoft's version of Kerberos, SAM (Security Accounts Manager) replication, and doubtless many other fine goodies. It's not ready for a production server yet, as it is still in alpha. Worth waiting for.

Hardware requirements, as always, depend on the load to be handled. As users cannot access network services without the PDC, this is not the place to pinch pennies. A pair of Celerons or Durons will hold up better under load than a single Pentium or Athlon. More important are memory, the disk subsystem, and the NIC. Lots and lots of RAM, as Samba spawns a daemon for every user connection. A 3-disk SCSI RAID 5 array gives speed and data protection. I've learned the hard way that it's worth paying the price for a server-quality Ethernet card. Not only are they more durable and better-performing, they come with rafts of nice features you don't get with the $20 specials.


Download Samba here. Also on this page are various clients and utilities. As always with Linux, there are two ways to install an application: RPM, or compile from source. (OK, there are three: Debian's apt-get. As I don't speak Debian, I'll leave that to the Debian Linux gurus.) RPM is easier, compile from source gives more control. Whichever method you choose, be sure to remove any existing Samba installations first.

rpm -qa|grep samba

tells you if Samba is on your system. If it returns a blank line, no Samba. Otherwise it will list the package names. Removal is most easy:

rpm -e (package name)

Red Hat makes 3 Samba RPMs, so be sure to remove all installed packages. Don't worry if you don't find all three on your system. The Samba team supplies a single RPM for Red Hat. That's the one I use.

smb.conf, the Center of the Universe

Depending on which Linux distribution you have, and how Samba was installed, smb.conf can be in a number of locations. The Red Hat RPM stows it in /etc/samba, which thoughtfully contains all the Samba configuration files. No need to send out a search expedition, simply use locate:

Locate smb.conf

It is helpful to print it out and read it. It's large, but don't let that scare you- it is well-commented and contains good instructions. The Samba team provides a graphical interface, SWAT. Webmin is a nice graphical frontend with a Samba module. However, I don't recommend either of them. SWAT has a habit of re-arranging smb.conf to suit itself, and it's really not hard to get used to editing a text file. I like being able to copy & paste the whole thing. Can't do that with a GUI. One advantage of Webmin is it allows delegating specific administrative functions to other users. Nice for sharing the work, while restricting what your helpers can get into.

The structure of smb.conf is simple and logical: one part is "global", the other is "shares". Either # or ; comments out a single line. The "global" values can be smushed around in any order; however, in the interests of readability, and knowing why you did something a certain way, start with a comment, then list the values:

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYGROUP

More comments are more better, it's amazing how something that seemed crystal-clear turns opaque after a few weeks.

"shares" syntax is simple: each share name is enclosed in square brackets, followed by the options that apply to that share. For example:

comment = shared folder for all users
path = /shared
browseable = no
writeable = yes

Important tip to prevent mysterious errors: Values in the "shared" section override values in the "global" section. For example, Samba permits any user who correctly authenticates (usually login-password) access to listed shares. However, shares can be fine-tuned:

comment = shared folder for users of group1
path = /shared1
browseable = no
writeable = yes
valid users = janis, jimi, jim

Only Janis, Jimi, and Jim can access shared1.

Basic Steps

  1. Server and network settings
  2. Security settings
  3. Roaming profiles
  5. Netlogon
  6. User and machine accounts
  7. Configure clients

We'll cover the gritty details in Part 2.


Storage Networking Industry Association .pdf on CIFS
PC Magazine performance tests
Samba as a backup domain controller
Mobile Site | Full Site