# Setting up a domaincontroller with Samba

I occasionally have to set up a domain controller using Samba. There are a lot of guides and howto’s available, but I made a step-by-step howto just for myself, and I thought it’d be smart to make it available on the internet for me to access anywhere.

These commands have only been tested on Debian. Some distro’s may do thing a little differently, especially when it comes to adding/modifying users and groups.

• Create a Unix group for ntadmins:
• And assign root to that group:
# usermod –append –groups ntadmins root
• Add the root user to the smb users (use a different password than the Unix root password!):
# smbpasswd -a root
• Map Samba groups (the rid is important!):
# net groupmap add ntgroup=”Domain Users” unixgroup=users rid=513 type=d
# net groupmap add ntgroup=”Domain Guests” unixgroup=nobody rid=514 type=d
• Add normal user accounts which can login in the domain controller (without home dirs or shells):

The following is an example config file, with some comments:

[global]
; When using domains, the workgroup is the domain name
workgroup = my_domain
server string = my_server (Samba server %v)
security = USER
os level = 65
domain master = yes
local master = yes
preferred master = yes
domain logons = yes
panic action = /usr/share/samba/panic-action %d
guest account = samba
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
dns proxy = no

; Location of NT/2000/XP profiles. %L expands to the servername, %u to the user.
; You may also want to put in %m, which expands to the machine name, to have a
; separate account for each machine. With only identical machines, it's useful to have
; a "roaming" profile, but you can imagine what happens when you login on a Windows
; 2000 machine with an account that actually belongs to a Windows XP machine...
; or, even simply on machines with different versions of software packages installed.
; update: I think it should actually be %U. And, you may want the machine name in the path:
logon path = \\%L\profiles\%m\%U
; logon path = \\%L\profiles\%u ; old one, before update.
logon script = logon.bat

time server = yes

; I don't let useradd create home dirs. I prefer to do that myself.
; I intentionally leave out -r (remove home dir) because I don't accidentally
; want to remove home dirs when I happen to remove domain users
; which are also unix users. Also, it means that if a user is recreated,
; its data is accessible again.
delete user script = /usr/sbin/userdel %u
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -a -G %g %u
; how does one delete a user from a group...? There doesn't seem
; to be a command for that...
;delete user from group script = /usr/sbin/ %u %g

[netlogon]
; You can add netlogon.bat here, the logon script executed by the client.
path = /var/lib/samba/netlogon
writable = no
browsable = no

[profiles]
; This path should be chmod 777
path = /home/samba-nt-profiles/
browsable = no
writable = yes
; You can choose to make these 0660 and 0770. If you force group = samba and put all your samba users in it, that can be convenient. It is a must when you have the machine name in the profile path, otherwise, only the first user can login on a machine.


The useradd commands are for when a domain admin asks for users to be created and such. The only one I’ve needed in practice, it would seem, is the add machine script. When I add a machine called “butter” to the domain controller, this command will automatically create a user called “\$butter” in your /etc/passwd, and the machine can login.

An example command to put in the netlogon.bat, is:

net use o: "\\server\networkshare"


The reason is obvious, I would say :).

An example network share accessible to anyone is:

[our_documents]
comment = Central storage for all our documents
path = /home/samba-our-documents
guest ok = yes
writeable = yes
browseable = yes
force group = samba


And, a network share for an individual domain user with full access for that user, but read-only to the rest:

[Johns_documents]
path = /home/samba-john-documenten
guest ok = yes
writeable = yes
browseable = yes
force group = samba


I believe this is it. I will update the post with relevant info in the future.

1. Comment by Velu G
On July 22, 2008 at 16:57

Hi,

i want to configure the linux domain server,
I need a how to configure samba, and how to setup for domain controller, and which version,i can use it redhat, fedora , or centOS…kindly advise on this requirement…its a helpfull..

2. Comment by halfgaar
On September 24, 2008 at 13:19

Whoops, I never saw this comment…

Your question is kind of general. Any Linux distribution can be used, but I recommend one which doesn’t update its software all the time, such as Gentoo. A domain controller is something that once it works, should mostly be left untouched.

3. Comment by anil
On January 20, 2010 at 15:47

hi
i am configure samba domain server but window xp machine unable add to domain controller show following error message
Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain netdruid.com:

The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.netdruid.com

Common causes of this error include the following:

– The DNS SRV record is not registered in DNS.

– One or more of the following zones do not include delegation to its child zone:

netdruid.com
com
. (the root zone)