I occasionally have to set up a domain controller using Samba. There are a lot of guides and howto’s available, but I made a step-by-step howto just for myself, and I thought it’d be smart to make it available on the internet for me to access anywhere.
These commands have only been tested on Debian. Some distro’s may do thing a little differently, especially when it comes to adding/modifying users and groups.
-
Create a Unix group for ntadmins:
# groupadd ntadmins -
And assign root to that group:
# usermod –append –groups ntadmins root -
Add the root user to the smb users (use a different password than the Unix root password!):
# smbpasswd -a root -
Map Samba groups (the rid is important!):
# net groupmap add ntgroup=”Domain Admins” unixgroup=ntadmins rid=512 type=d
# net groupmap add ntgroup=”Domain Users” unixgroup=users rid=513 type=d
# net groupmap add ntgroup=”Domain Guests” unixgroup=nobody rid=514 type=d -
Add normal user accounts which can login in the domain controller (without home dirs or shells):
# useradd -d /dev/null -s /bin/false example_username
# smbpasswd -a example_username
When adding a machine to the domain, it will ask for a username and password. Use the root username you’ve added to smbusers here. The normal user accounts are for when the machine is successfully added to the domain, and asks for user login.
The following is an example config file, with some comments:
[global] ; When using domains, the workgroup is the domain name workgroup = my_domain server string = my_server (Samba server %v) security = USER encrypt passwords = true os level = 65 domain master = yes local master = yes preferred master = yes domain logons = yes panic action = /usr/share/samba/panic-action %d guest account = samba log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 dns proxy = no ; Location of NT/2000/XP profiles. %L expands to the servername, %u to the user. ; You may also want to put in %m, which expands to the machine name, to have a ; separate account for each machine. With only identical machines, it's useful to have ; a "roaming" profile, but you can imagine what happens when you login on a Windows ; 2000 machine with an account that actually belongs to a Windows XP machine... ; or, even simply on machines with different versions of software packages installed. ; update: I think it should actually be %U. And, you may want the machine name in the path: logon path = \\%L\profiles\%m\%U ; logon path = \\%L\profiles\%u ; old one, before update. logon script = logon.bat time server = yes ; I don't let useradd create home dirs. I prefer to do that myself. add user script = /usr/sbin/useradd -d /dev/null -s /bin/false %u ; I intentionally leave out -r (remove home dir) because I don't accidentally ; want to remove home dirs when I happen to remove domain users ; which are also unix users. Also, it means that if a user is recreated, ; its data is accessible again. delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -a -G %g %u ; how does one delete a user from a group...? There doesn't seem ; to be a command for that... ;delete user from group script = /usr/sbin/ %u %g add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u [netlogon] ; You can add netlogon.bat here, the logon script executed by the client. path = /var/lib/samba/netlogon writable = no browsable = no [profiles] ; This path should be chmod 777 path = /home/samba-nt-profiles/ browsable = no writable = yes ; You can choose to make these 0660 and 0770. If you force group = samba and put all your samba users in it, that can be convenient. It is a must when you have the machine name in the profile path, otherwise, only the first user can login on a machine. create mask = 0600 directory mask = 0700
The useradd commands are for when a domain admin asks for users to be created and such. The only one I’ve needed in practice, it would seem, is the add machine script. When I add a machine called “butter” to the domain controller, this command will automatically create a user called “$butter” in your /etc/passwd, and the machine can login.
An example command to put in the netlogon.bat, is:
net use o: "\\server\networkshare"
The reason is obvious, I would say :).
An example network share accessible to anyone is:
[our_documents] comment = Central storage for all our documents path = /home/samba-our-documents guest ok = yes writeable = yes browseable = yes force group = samba create mask = 0660 directory mask = 0770
And, a network share for an individual domain user with full access for that user, but read-only to the rest:
[Johns_documents] path = /home/samba-john-documenten guest ok = yes writeable = yes browseable = yes force group = samba create mask = 0640 directory mask = 0750
I believe this is it. I will update the post with relevant info in the future.
Hi,
i want to configure the linux domain server,
I need a how to configure samba, and how to setup for domain controller, and which version,i can use it redhat, fedora , or centOS…kindly advise on this requirement…its a helpfull..
Whoops, I never saw this comment…
Your question is kind of general. Any Linux distribution can be used, but I recommend one which doesn’t update its software all the time, such as Gentoo. A domain controller is something that once it works, should mostly be left untouched.
I advise looking for other documentation, as that is much more informative.
hi
i am configure samba domain server but window xp machine unable add to domain controller show following error message
Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain netdruid.com:
The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc._msdcs.netdruid.com
Common causes of this error include the following:
– The DNS SRV record is not registered in DNS.
– One or more of the following zones do not include delegation to its child zone:
netdruid.com
com
. (the root zone)
so please help me how to solve this problem
I’m sorry, but I can’t really comment on your situation, it’s too specific.
Th DNS issue can be resolved by adding the ip and the hostname in the /etc/hosts file
hope this helps