Configuring Samba as a domain controller

Samba configuration on a Linux (or other UNIX machine) is controlled by a single file, /etc/smb.conf. This file determines which system resources you want to share with the outside world and what restrictions you wish to place on them.

Here is the example of smb.conf to work as PDC:

 [global] ; global server settings netbios name = POGO workgroup = WORKGROUP

 ; domain and local master browser os level = 64 preferred master = yes domain master = yes local master = yes ; set Samba to authenticate in user mode security security = user ; password encryption for PDC encrypt passwords = yes ; domain logons support domain logons = yes ; user profiles path logon path = \%Nprofiles\%u ; local path to which the home directory will be connected and home directory ; location when a Win95/98 or NT Workstation logs into a Samba PDC logon drive = N: logon home = \homeserver\%u ; batch file (.bat) or NT command file (.cmd) to be downloaded and run on a ; machine when a user successfully logs in ; relative **DOS** path to the [netlogon] resource logon script = logon.cmd

 ; necessary resource for domain controller [netlogon] path = /usr/local/samba/lib/netlogon writeable = no write list = ntadmin ; user profiles [profiles] path = /export/smb/ntprofile writeable = yes create mask = 0600 directory mask = 0700

There are few important issues for this configuration:

• Password encryption must be enabled.
• Server must support domain logons and resource [netlogon]
• Note that Windows NT Primary Domain Controllers expect to be able to claim the workgroup specific special NetBIOS name that identifies them as domain master browsers for that workgroup by default.

Samba 2.2 does not provide complete realization of MS Windows NT4/200x group accounts and to arbitrarily associate them with UNIX/Linux group accounts. For additional information about creating user accounts in Domain Admins style, please refer to the domain admin users parameter of the smb.conf file.