Skip to content

Setting up a domaincontroller with Samba

I occasionally have to set up a domain controller using Samba. There are a lot of guides and howto’s available, but I made a step-by-step howto just for myself, and I thought it’d be smart to make it available on the internet for me to access anywhere.

These commands have only been tested on Debian. Some distro’s may do thing a little differently, especially when it comes to adding/modifying users and groups.

  • Create a Unix group for ntadmins:
    # groupadd ntadmins
  • And assign root to that group:
    # usermod –append –groups ntadmins root
  • Add the root user to the smb users (use a different password than the Unix root password!):
    # smbpasswd -a root
  • Map Samba groups (the rid is important!):
    # net groupmap add ntgroup=”Domain Admins” unixgroup=ntadmins rid=512 type=d
    # net groupmap add ntgroup=”Domain Users” unixgroup=users rid=513 type=d
    # net groupmap add ntgroup=”Domain Guests” unixgroup=nobody rid=514 type=d
  • Add normal user accounts which can login in the domain controller (without home dirs or shells):
    # useradd -d /dev/null -s /bin/false example_username
    # smbpasswd -a example_username

When adding a machine to the domain, it will ask for a username and password. Use the root username you’ve added to smbusers here. The normal user accounts are for when the machine is successfully added to the domain, and asks for user login.

The following is an example config file, with some comments:

  ; When using domains, the workgroup is the domain name
  workgroup = my_domain
  server string = my_server (Samba server %v)
  security = USER
  encrypt passwords = true
  os level = 65
  domain master = yes
  local master = yes
  preferred master = yes
  domain logons = yes
  panic action = /usr/share/samba/panic-action %d
  guest account = samba
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  dns proxy = no

  ; Location of NT/2000/XP profiles. %L expands to the servername, %u to the user.
  ; You may also want to put in %m, which expands to the machine name, to have a 
  ; separate account for each machine. With only identical machines, it's useful to have
  ; a "roaming" profile, but you can imagine what happens when you login on a Windows 
  ; 2000 machine with an account that actually belongs to a Windows XP machine...
  ; or, even simply on machines with different versions of software packages installed.
  ; update: I think it should actually be %U. And, you may want the machine name in the path:
  logon path = \\%L\profiles\%m\%U
  ; logon path = \\%L\profiles\%u ; old one, before update.
  logon script = logon.bat

  time server = yes

  ; I don't let useradd create home dirs. I prefer to do that myself. 
  add user script = /usr/sbin/useradd -d /dev/null -s /bin/false %u
  ; I intentionally leave out -r (remove home dir) because I don't accidentally
  ; want to remove home dirs when I happen to remove domain users 
  ; which are also unix users. Also, it means that if a user is recreated, 
  ; its data is accessible again.
  delete user script = /usr/sbin/userdel %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -a -G %g %u
  ; how does one delete a user from a group...? There doesn't seem 
  ; to be a command for that...
  ;delete user from group script = /usr/sbin/ %u %g
  add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

  ; You can add netlogon.bat here, the logon script executed by the client.
  path = /var/lib/samba/netlogon
  writable = no
  browsable = no

  ; This path should be chmod 777
  path = /home/samba-nt-profiles/
  browsable = no
  writable = yes
  ; You can choose to make these 0660 and 0770. If you force group = samba and put all your samba users in it, that can be convenient. It is a must when you have the machine name in the profile path, otherwise, only the first user can login on a machine.
  create mask = 0600
  directory mask = 0700

The useradd commands are for when a domain admin asks for users to be created and such. The only one I’ve needed in practice, it would seem, is the add machine script. When I add a machine called “butter” to the domain controller, this command will automatically create a user called “$butter” in your /etc/passwd, and the machine can login.

An example command to put in the netlogon.bat, is:

net use o: "\\server\networkshare"

The reason is obvious, I would say :).

An example network share accessible to anyone is:

  comment = Central storage for all our documents
  path = /home/samba-our-documents
  guest ok = yes
  writeable = yes
  browseable = yes
  force group = samba
  create mask = 0660
  directory mask = 0770

And, a network share for an individual domain user with full access for that user, but read-only to the rest:

  path = /home/samba-john-documenten
  guest ok = yes
  writeable = yes
  browseable = yes
  force group = samba
  create mask = 0640
  directory mask = 0750

I believe this is it. I will update the post with relevant info in the future.

5 Comments ( Add comment / trackback )

  1. (permalink)
    Comment by Velu G
    On July 22, 2008 at 16:57


    i want to configure the linux domain server,
    I need a how to configure samba, and how to setup for domain controller, and which version,i can use it redhat, fedora , or centOS…kindly advise on this requirement…its a helpfull..

  2. (permalink)
    Comment by halfgaar
    On September 24, 2008 at 13:19

    Whoops, I never saw this comment…

    Your question is kind of general. Any Linux distribution can be used, but I recommend one which doesn’t update its software all the time, such as Gentoo. A domain controller is something that once it works, should mostly be left untouched.

    I advise looking for other documentation, as that is much more informative.

  3. (permalink)
    Comment by anil
    On January 20, 2010 at 15:47

    i am configure samba domain server but window xp machine unable add to domain controller show following error message
    Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

    The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain

    The error was: “DNS name does not exist.”
    (error code 0x0000232B RCODE_NAME_ERROR)

    The query was for the SRV record for

    Common causes of this error include the following:

    – The DNS SRV record is not registered in DNS.

    – One or more of the following zones do not include delegation to its child zone:
    . (the root zone)

    so please help me how to solve this problem

  4. (permalink)
    Comment by halfgaar
    On January 26, 2010 at 20:31

    I’m sorry, but I can’t really comment on your situation, it’s too specific.

  5. (permalink)
    Comment by dave bamford
    On February 2, 2010 at 14:14

    Th DNS issue can be resolved by adding the ip and the hostname in the /etc/hosts file
    hope this helps