Samba Primary Domain Controller

From Wiki

Jump to:navigation, search

Samba 3 Primary Domain Controller HOWTO


Samba can do several things. This howto will cover its ability to act feature for feature (and some) as an NT4 style Primary Domain controller. Before we begin, lets make sure you have all the tools required:


  • A functioning Linux installation
  • Correctly configured TCP/IP networking with a static IP address set
  • 'root' shell access to the Linux installtion
  • Samba 3.x installed and operational in its default configuration
  • A text editor (vim, emacs, nano, etc)

Samba Basics

Before we waste too much time and discover Samba doesn't meet your needs, quickly read through these two lists. Check that Samba meets your requirements. Generally though, if your replacing an aging NT4 domain controller or have no server at all. Or maybe your in a peer to peer enviroment. Samba acting as a PDC will be a great improvement in your current situation. Never the less, check out what Samba can and can't do before you commit too much time and effort to the migration.

What it can do

  • Act as an NT4 style PDC
  • Act as a WINS server
  • Provide NT4 style user and group security
  • Run login scripts
  • Allow users to have Roaming or Mandatory Profiles
  • Act as a File server (briefly discussed)
  • Act as a Print Server (not discussed in this howto)

What it can't do

  • Act as an Active Directory DC
  • Provide AD style Group Policies
  • Support usage of Windows Networking Management tools
  • Machine policies
  • Syncronous login scripts

The smb.conf

This is where the vast majority of the configuration is done. Its split into sections. The Global section describes the server wide options. The subsequent sections describe how to handle the several special shares (netlogon, profiles, printers, print$ and homes). Finally, the other later sections describe any file shares the server will have.

The [global] Section

This is where you tell Samba what domain name to use, to be a Primary Domain Controller and how to setup the logon enviroment for clients. Here's a sample %%[global]%% section from the smb.conf file.


netbios name = myserver
workgroup = mydomain
server string = Samba PDC running %v

The 'netbios name' configuration option sets the hostname for the server. This is the name of the machine as you will see it in the Network Neighbourhood. By default if it is omitted samba will use the machines dns hostname as set in /etc/hostname.

The 'workgroup' configuration option (slightly confusingly) sets the domain name the PDC will be hosting.

The 'server string' configuration option sets the comment field used in network neighbourhood. The %v will be expanded to contain the samba version string. Variable expansion like this will be covered in more detail later in this howto.

The 'socket options' configuration options sets various TCP/IP settings. These defaults are known to perform well on Linux systems. If you are using another OS (such as *BSD) you may wish to consult your networking documentation for your OS' optimal values.

os level = 63
preferred master = yes
domain master = yes
domain logons = yes

security = user
encrypt passwords = yes
passdb backend = tdbsam

logon path = \\%N\profiles\%U
logon drive = H:
logon home = \\%N\%U\winprofile
logon script = logon.cmd

The [netlogon] section

        path = /home/samba/netlogon
        public = no
        writeable = no
        browsable = no
        valid users = root @smbadmins @smbusers

The [profiles] section

        path = /home/samba/profiles
        writeable = yes
        create mask = 0700
        directory mask = 0700
        browsable = no
        valid users = root @smbadmins @smbusers