Samba Primary Domain Controller
Samba 3 Primary Domain Controller HOWTO
Samba can do several things. This howto will cover its ability to act feature for feature (and some) as an NT4 style Primary Domain controller. Before we begin, lets make sure you have all the tools required:
- A functioning Linux installation
- Correctly configured TCP/IP networking with a static IP address set
- 'root' shell access to the Linux installtion
- Samba 3.x installed and operational in its default configuration
- A text editor (vim, emacs, nano, etc)
Before we waste too much time and discover Samba doesn't meet your needs, quickly read through these two lists. Check that Samba meets your requirements. Generally though, if your replacing an aging NT4 domain controller or have no server at all. Or maybe your in a peer to peer enviroment. Samba acting as a PDC will be a great improvement in your current situation. Never the less, check out what Samba can and can't do before you commit too much time and effort to the migration.
What it can do
- Act as an NT4 style PDC
- Act as a WINS server
- Provide NT4 style user and group security
- Run login scripts
- Allow users to have Roaming or Mandatory Profiles
- Act as a File server (briefly discussed)
- Act as a Print Server (not discussed in this howto)
What it can't do
- Act as an Active Directory DC
- Provide AD style Group Policies
- Support usage of Windows Networking Management tools
- Machine policies
- Syncronous login scripts
This is where the vast majority of the configuration is done. Its split into sections. The Global section describes the server wide options. The subsequent sections describe how to handle the several special shares (netlogon, profiles, printers, print$ and homes). Finally, the other later sections describe any file shares the server will have.
The [global] Section
This is where you tell Samba what domain name to use, to be a Primary Domain Controller and how to setup the logon enviroment for clients. Here's a sample %%[global]%% section from the smb.conf file.
[global] netbios name = myserver workgroup = mydomain server string = Samba PDC running %v socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
The 'netbios name' configuration option sets the hostname for the server. This is the name of the machine as you will see it in the Network Neighbourhood. By default if it is omitted samba will use the machines dns hostname as set in /etc/hostname.
The 'workgroup' configuration option (slightly confusingly) sets the domain name the PDC will be hosting.
The 'server string' configuration option sets the comment field used in network neighbourhood. The %v will be expanded to contain the samba version string. Variable expansion like this will be covered in more detail later in this howto.
The 'socket options' configuration options sets various TCP/IP settings. These defaults are known to perform well on Linux systems. If you are using another OS (such as *BSD) you may wish to consult your networking documentation for your OS' optimal values.
os level = 63 preferred master = yes domain master = yes domain logons = yes
security = user encrypt passwords = yes passdb backend = tdbsam
logon path = \\%N\profiles\%U logon drive = H: logon home = \\%N\%U\winprofile logon script = logon.cmd
The [netlogon] section
[netlogon] path = /home/samba/netlogon public = no writeable = no browsable = no valid users = root @smbadmins @smbusers
The [profiles] section
[profiles] path = /home/samba/profiles writeable = yes create mask = 0700 directory mask = 0700 browsable = no valid users = root @smbadmins @smbusers