Google

Google

Monday, September 1, 2008

How to Configure Samba PDC

Samba PDC howto
Basic smb.conf
Edit smb.conf configuration (RH: /etc/, FreeBSD: /usr/local/etc/) and make sure you have the following setup
Code:
[global]
netbios name =
server string = Samba %v on %L
workgroup =

; domain & local master browser
; coz we're dealing with Win2k
os level = 65
prefered master = yes
domain master = yes
local master = yes
domain logons = yes

; misc options
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
time server = yes

; do not show files starting with dots
hide dot files = yes

; Central European code page support
client code page = 852
character set = ISO8859-2

; do not allow guest access, use only local system accounts
security = user
guest ok = no
invalid users = bin deamon sys man postfix mail ftp
admin users = @wheel

; domain administrators
domain admin group = @wheel
domain admin users = root

; use encrypted passwords
encrypt passwords = yes

; logging (max log size is in kB)
log level = 2
log file = /var/log/samba/log.%L
max log size = 1000
debug timestamp = yes
syslog = 1

; user roaming profiles path
logon path = \\%N\profiles\%u

; general logon script (in DOS format)
logon script = logon.bat

Now you have to setup netlogon share and share for roaming profiles. Change the path to your appropriate directories. Don't forget to change list of valid users. I prefer having a special system group called smbusers and restrict access only to them and root.

; share for domain controller
[netlogon]
path = /home/samba/netlogon
public = no
writeable = no
browsable = no
valid users = root @smbusers

; share for storing user profiles
[profiles]
path = /home/samba/profiles
writeable = yes
create mask = 0700
directory mask = 0700
browsable = no
valid users = root @smbusers


Win2k machine accounts
To allow domain login from machines running Windows NT or Windows 2000, you need to create machine account for every machine. The machine account are special accounts with $ at the end, i.e. machine$.

Since there might be some problems creating them from Windows, it's easier to create them in advance directly on Unix. However, it is possible to set up add user script in smb.conf. See samba documentation for more.

To add machine account, use your system script, most likely adduser. If your system does not support user names with $ (i.e. FreeBSD), you must edit your password database to add it manualy. So on FreeBSD, use vipw.

The system accounts for machines do not need login shell neither home dir, so use false as login shell and /dev/null as home dir.

After adding system accounts, you must use smbpasswd to add Samba machine account. There you can use $ in usernames. So typical command will look like:
Code:
$ smbpasswd -a -m $

User accounts
To add user account, simply repeat the above steps for user names. Normaly you would have user names without special characters, so you simply run adduser. Again, use false as shell and /dev/null as user home dir.

To add users to samba, run smbpasswd:
Code:
$ smbpasswd -a

Win2k setup

Now you can go around your Windows machines and set them up to be domain members. There should be no problem with Windows 95/98/ME, since they do not need machine accounts - just make sure you use encrypted passwords (see samba documentation for more).

To add Windows NT or 2000 into domain, you must be logged-in as administrator. First you must make sure that your machine NetBIOS name is exactly the same as machine account you have had created on your samba server.



Then go to This computer's properties and select Network Identification tab. Click on the Properties button and select Domain and enter your domain name. Click OK.

You will be prompted for domain admin user name and password - enter root as user name and samba root password (the one you added with smbpasswd -a root). After a while you will see message "Welcome to domain".

Now just reboot and try to login into domain as a normal domain user.
Creating shares
To create samba shares, edit smb.conf. Do not forget to specify allowed users and file and directory masks:
Code:
; share for user data
[data]
path = /home/samba/data
writeable = yes
create mode = 0750
directory mode = 0750
valid users = root @smbusers
public = yes

Note:Make sure you restart your samba daemon after editing smb.conf.

No comments: