11.4. Using Samba As a Primary Domain Controller

Problem

You want a central login and authentication server on your network; you have either Windows hosts, or a mixed LAN of Windows and Linux hosts. You may also want this server to provide access to network resources, such as file shares and printers. You do not have a Windows domain controller or existing password server, but a mish-mash of peer networking plus sneakernet, or just shared Internet, so you are starting from scratch.

Solution

There are seven steps to building a Samba domain controller:

1. Install Samba.

2. Configure /etc/samba/smb.conf.

3. Create a Samba root user.

4. Create a group for machine accounts.

5. Join all Windows NT/200x/XP/Vista computers in the domain to the Samba server.

6. Create user accounts on both Linux and Samba.

7. Fire it up and connect clients for testing.

Here is a complete, basic /etc/samba/smb.conf for your new domain controller. Substitute your own workgroup name (which is the name of the primary domain), NetBIOS name, server string, and network IP:

	[global]
	   workgroup = bluedomain
	   netbios name = samba1
	   server string = Samba PDC
	   domain master = yes
	   os level = 64
	   preferred master = yes
	   domain logons = yes
	   add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines '%u'
	
	   passdb backend = tdbsam
	   security = user
	   encrypt passwords = yes
	   log file = /var/log/samba/log
	   log level = 2
	   max log size = 50
	   hosts allow = 192.168.1.
	   wins support = yes
	
	[netlogon]
	   comment = Network Logon Service
	   path = /var/lib/samba/netlogon/
	   browseable = No
	   writable = No
	
	[homes]
	   comment = Home Directories
	   valid users = %S
	   browseable = No
	   writable = Yes

Create /var/lib/samba/netlogon/ if it does not already exist:

	# mkdir -m 0755 /var/lib/samba/netlogon/

Create a netlogon.bat script containing these lines to automatically mount shares on user's Windows PCs, and put it in /var/lib/samba/netlogon/, mode 0644. You may use any drive letter you like, as long it doesn't conflict with user's existing drives:

	## netlogon.bat
	REM NETLOGON.BAT
	net use z: \\linux\samba /yes

Save and close smb.conf, then run testparm to check for syntax errors:

	# testparm
	Load smb config files from /etc/samba/smb.conf
	Loaded services file OK.
	Server role: ROLE_DOMAIN_PDC
	Server role: ROLE_DOMAIN_PDC is the line you want to see.

Fix syntax errors, if any, then restart Samba. (See Recipe 11.3 to learn how to start and stop Samba.)

Next, create a Samba root user account with smbpasswd. Do not use the same password as the Linux root user:

	# smbpasswd -a
	New SMB password:
	Retype new SMB password:
	Added user root.

Then create a machines group:

	# groupadd -g machines

You must now make the first domain logins from the Windows NT/200x/XP/Vista PCs as the Samba root user. Don't forget to do this, or your Windows NT/200x/XP/ Vista users will not be able to log in to the domain. Log in as soon as possible to synchronize with the server, and to prevent someone else from possibly hijacking the account.

Finally, create Linux accounts on the Samba box for all users in the domain. This example disables Linux logins, so that users can access their home directories on the server only via Samba:

	# useradd -m -s /bin/false foober

Then, use the Samba smbpasswd command to create Samba user accounts:

	# smbpasswd -a foober
	New SMB password:
	Retype new SMB password:
	Added user foober.

Be sure to give foober his new password. Yes, it's tedious. (Check the See Also section for tips for easing the process.)

Finally, start or restart Samba.

Discussion

wins support = yes means Samba is the WINS server. You don't have to do anything other than add this line to smb.conf, and it will automatically keep a list of all NetBIOS names registered with them, acting as a DNS server for NetBIOS names. Remove it if there is already a WINS server on the network, because having two causes problems.

Users will have two home directories: one on their local PCs, and one on the Samba server. You can limit user's storage space on the Samba server in the usual manner, with the quota command. You may do away with home directories on the server entirely, but then you run the risk of some things not working right, like Kerberos if you ever implement it, or joining Samba to an Active Directory domain.

Machine Trust Accounts are user accounts owned by a single computer. The password of a Machine Trust Account acts as the shared secret for secure communication with the Domain Controller. This prevents an unauthorized machine from masquerading the NetBIOS name and gaining access. A Windows 9x/ME host cannot possess a Machine Trust Account, so this opens a potential security hole in your domain (among many other potential security holes, such as the fact that multiple users on a Windows 9x/ME machine can freely access each other's files, and by default it caches passwords).

The add machine script directive simplifies creating machine accounts. Creating them manually is done this way, using the host "tinbox" as an example:

	# useradd -g machines -d /dev/null -s /bin/false tinbox$
	# smbpasswd -a -m tinbox

Note that the machine account is created with no login shell and a locked password, so it is impossible to log in to Linux using the machine account. This is an important security measure.

You can easily add file and printer shares as you need, just like for any Samba server.

These are the directives that tell Samba it is a primary domain controller:

	domain master = yes
	os level = 64
	preferred master = yes
	domain logons = yes

The passdb backend = tdbsam directive selects the tdbsam database for storing user account information, rather than the default smbpasswd. The Samba team recommends using tdbsam over smbpasswd, which is being phased out. Don't confuse the smbpasswd database with the smbpasswd command—the smbpasswd command is used to manage user accounts with tdbsam and other supported databases.

Any users that you add with smbpasswd must already have system accounts on the Samba server. If they are not in /etc/passwd, you will get this error:

	Failed to initialise SAM_ACCOUNT for user foo.
	Failed to modify password entry for user foo

Remember, There Can Be Only One—don't put two primary domain controllers (PDCs) on the same domain, or nothing will work right. You may have multiple Samba servers, but only one PDC.

See Also

• man 8 useradd

• man 1 passwd

• man 5 smb.conf is thorough and understandable—keep it close to your Samba server; be sure to review it for the configuration defaults

• Recipe 8.17, Recipe 8.18, and Recipe 8.19 in Linux Cookbook, by Carla Schroder (O'Reilly) explain how to automate adding Linux system users. Be sure to check out the wonderful mass_useradd and mass_passwd scripts

• Chapter 23, "File and Printer Sharing, and Domain Authentication with Samba," in Linux Cookbook

• Chapter 4, "Domain Control," in The Official Samba-3 HOWTO and Reference Guide (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/)