Build A Primary Domain Controller With Samba, Part 2

Tuesday Jul 17th 2007 by Carla Schroder

Our recipe for quick configuration will make it easy for you to drop a Samba-based PDC into your Windows network for single sign-on authentication, roaming profiles, and more.

Second of two parts. Read Part One.

Today we leap right into smb.conf and configure our Samba primary domain controller. Remember- There Can Be Only One. Do not use this if there is already a PDC on your network.

It may help to print and annotate smb.conf. Be sure to make a backup copy before changing anything. Samba's man pages are exceptionally useful, start with man samba and man smb.conf. Some comments below are abbreviated, see smb.conf for the full text. A complete list of global parameters is in man smb.conf. You can't just invent them- must use the official Samba parameters.

Put your domain name and server hostname here:
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYGROUP
netbios name = HOSTNAME

# server string is the equivalent of the NT Description field
server string = Samba PDC %v %h
%v displays the Samba version number, %h displays the hostname. This shows up in Network Neighborhood. See man smb.conf for a full explanation of all variable substitutions. Or say anything you want:
server string = Carla's Samba server, and a darn fine one it is

Define subnets:
# This option is important for security...
hosts allow = 192.168.1., 127.
hosts allow =,
The localhost will always be allowed access, unless denied by a "hosts deny" option. Use space, comma, or tab delimiting. Individual IPs can be excluded here with the EXCEPT keyword:
hosts allow = 192.168., EXCEPT

# Put a capping on the size of the log files (in Kb).
max log size = 50
Side note: I like to isolate /var in its own partition, to prevent crashes if something causes a log file to grow hugely, such as a DOS attack or other mayhem.

# Security mode...
security = user

# You may wish to use password encryption....
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to # update the Linux system password also.
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated*

# Browser Control Options:
local master = yes

#OS Level ...
os level = 64

# Domain Master specifies Samba to be the Domain Master Browser....
domain master = yes

# Preferred Master ...
preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
domain logons = yes

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
logon path = \\%L\Profiles\%U

Add these lines:
logon home = \\%L\%U
logon drive = H: (or whatever you like)
logon script = netlogon.bat

#=== shares ===
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775

comment = Network Logon Service
path = /home/samba/netlogon
writable = no
share modes = no

path = /home/samba/profiles
browseable = no

Now create a machines and an admin group:
[root@windbag carla]# /usr/sbin/groupadd -g 200 admins
[root@windbag carla]# /usr/sbin/groupadd -g 201 machines

Be sure to select a group ID that does not conflict with existing groups, groupadd won't let you anyway. (In case you were wondering, my PC has a noisy fan- hence the hostname windbag.)

Next, create the directories as named in smb.conf:
[root@windbag carla]# mkdir -m 0775 /home/samba /home/samba/netlogon
[root@windbag carla]# chown root.admins /home/samba/netlogon
[root@windbag carla]# mkdir /home/samba/profiles
[root@windbag carla]# chown 1757 /home/samba/profiles

Do this exactly as shown, for security reasons- please see Resources for information on Linux file permissions.

Now add machine accounts. Each computer on the network needs an account, as well as each user. This adds a Unix account:
[root@windbag carla]# /usr/sbin/useradd -g machines -d /dev/null -c "machine nickname" -s /bin/false test$
Which means belonging to the machines group, no home directory, cutesy nickname of your choice, no shell access; I used "test" as the NetBIOS or hostname, and $ identifies it as a trust account.

Create authentication and lock password:
[root@windbag carla]# passwd -l test$
Changing password for user test$
Locking password for user test$
passwd: Success

Now add to /etc/samba/smbpasswd:
[root@windbag carla]# /usr/bin/smbpasswd -a -m test
If /etc/samba/smbpasswd does not exist, smbpasswd will create it. Note that smbpasswd does not require $ appended to the machine name. smbpasswd may not be in /usr/bin/, use the locate command to find it. smbpasswd exists twice: as a command, and as text file.

A quick way to read a file is using the cat command:
[root@windbag carla]# cat /etc/samba/smbpasswd

For your human users, the procedure is the same: useradd and passwd to create a Unix account, only don't lock the password, then smbpasswd for Samba. There is probably a clever way to automate this with a shell script. Unfortunately I'm a lousy scripter, so I'm afraid I can't be helpful here.

Run the command "testparm" to find syntax errors, see man testparm for all options. Start Samba: as root, type /etc/rc.d/init.d/smb start
Stop: /etc/rc.d/init.d/smb stop
Test: smbclient -L localhost

That takes care of the server configuration. Now join Windows clients to your domain. Windows 9x/ME is easy: make sure that Client For Microsoft Networks is selected as the Primary Network Logon. Then Client For Microsoft Networks -> Properties -> Logon to NT Domain.

For Windows NT/2000, set the domain name, then be sure that your first logon is as root. An ordinary user will not work. After the initial root login, any user can log in on their own account. If the machine account was created manually, be sure to not select "Create a Computer Account In the Domain." The Samba PDC howto tells how to create machine accounts "on the fly."

Windows XP is a bear. The Home edition cannot be joined to a domain. XP Professional sometimes requires a registry patch to connect to Samba, sometimes it goes as easily as Win2000. Please visit the smb-clients mail list for the best help.

I left out creating user and printer shares on purpose, it's simple and abundantly documented. The O'Reilly book "Using Samba" is invaluable, especially for troubleshooting, and so is the documentation on samba.org. The most common mistakes are typos in smb.conf. Be kind to yourself- get enough sleep and take it slowly.


Samba.org documentation, including all man pages
Linux File Permissions
Samba-PDC LDAP howto
Samba PDC howto
Samba mail lists
Mobile Site | Full Site