Samba/Primary Domain Controller

A Primary Domain Controller (PDC) allows:


 * Users on a Windows domain to authenticate against a central controller.
 * Users to have roaming profiles.
 * Login commands run at login based on login scripts that reside on the PDC.

This article focuses on how to implement Samba as the PDC for your Windows domain. It was written with a Windows 2000/XP network in mind, but should work with any client version of Windows, though some extra client side settings may need to be configured.

If you're looking to have a PDC for your Linux domain, you're out of luck here. PDC's are strictly for Windows environments. Instead, you should look at Active Directory Authentication using LDAP.

What this HOWTO will do

 * Allow Microsoft Windows (2000 and XP) clients to authenticate via your samba server.
 * Provide mapped drives (based on logon scripts).
 * Execute a logon script.
 * Enable use of roaming profiles.


 * Roaming profiles
 * Microsoft Windows supports roaming user profiles, which allow certificates to follow users no matter which computer they use to log on. When roaming profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the computer during the logon process for the user.

What this HOWTO will not do

 * Configure your Samba server for print sharing.
 * Configure your Samba server for virus scanning.
 * Configure your Samba server for LDAP authentication.

The Kernel
Make sure POSIX Access Control Lists are supported by the kernel on the relevant file system.

USE Flags
Samba must be emerged with the USE flag enabled. This can be defined globaly in or only for the samba package:

Configure Samba
The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria.

[global]
netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. This is also the domain you will work from if you are using one. server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view.

hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests.

To make your Samba server the PDC, the following four parameters are required. Setting your os level to 65 ensures your server will be the PDC in a network where there are other DC. local master allows NMBD to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes NMBD to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if NMBD is a preferred master browser for its workgroup.

null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files.

domain logons dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon script filename realtive to netlogon path, specified below. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They define the server name and username, respectively. You may specify any drive letter as long as it does not conflict with other drives on your Windows client.

For the logon script, you should use a static file name. Using %U will require a batch file for each user as %U is equal to the user name establishing the connection.

wins support controls if the NMBD process in Samba will act as a WINS server. name resolve order is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

time server determines if NMBD advertises itself as a time server to Windows clients. log file allows you to override the name of the Samba log file, also known as the debug file. max log size specifies the maximum size the log file should grow. smb passwd file sets the path to the encrypted smbpasswd file. By default, the path to the smbpasswd file is compiled into Samba.

The following are parameters to assist you in adding/deleting users/machines from a client. (Carter, Ts, Eckstein, 2007)

unix charset specifies the character set the Unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the character sets other SMB clients use. You should leave this undefined unless your machine does not support the default UTF-8 character set.

[netlogon]
[netlogon] is the service section where your Default Profile for new users and log in script reside. Make sure the directory is set to root for user and group, and permissions are 755:

[profiles]
[profiles] is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 0755). Inside this directory is where you user profiles are located. Make sure the user profile directories themselves are owned by the user and group owned by users. Make sure user directories permission are 770 (chmod -R 0770).

Make sure the directory is set to root for user and group, and permissions are 755:

[homes]
[homes] defines the users home directory. Nothing special needs to be done to this directive or directory.

[public]
[public] is an example of a share that everyone can access. This is handy to have if there are documents to which everyone needs access. You do not need one if you do not want one. You can have however many you want with whatever names you want. It does not have to be named [public].

Windows 2000
This is another simple step. Log into your Windows 2000 client locally as Administrator and add your client machine to your domain. This is achieved by right clicking My Computer => Properties => Network Identification => Properties button. You will be prompted for a username/password of an authorised domain user. You'll need to use your root account (the reason root was added to smbpasswd).

After changing your domain, you'll need to reboot (no surprise there). When it reboots, you'll have the fancy login screen with the nice little graphic instructing you to do a "ctrl-alt-del" to get to the actual login screen. If you only see fields for you username and password, click on the "Options" button and a domain dropdown will appear. Your choices should be "computer name\local" AND your new domain.

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of the hidden file C:\Documents and Settings\Default User to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into (assuming the usage of roaming profiles).

I suggest making sure the latest service pack is installed.

After adding the client to the domain and rebooting, lets leave this screen as is. We'll come back to it later.

Windows XP
You should start the process for Windows XP clients by a complete Windows Update. After the release of Service Pack 2, Microsoft Windows way of dealing with profiles has changed a bit. You will need to start by logging into your Windows XP client locally as Administrator and execute:

gpedit.msc

then, you must navigate to :

Local Computer Policy / Computer Configuration / Administrative Templates / System / User Profiles

and change the setting of the key 'Do not check for user ownership of Roaming Profile Folders' from 'Not Configured' to 'Enable'. If that key is not present, you should try visiting Windows Update again. Then you can use 'File / Exit'. This is needed because WinXP actually checks ACL Permission in your profile file system (which isn't really that easy to develop under *NIX). Once this is completed, you can procede as for Windows 2000.

Alternatively, you can add the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "CompatibleRUPSecurity"=dword:00000001

Add this in [profile] section in samba 3.25. (See for more details.)

Troubleshooting
For problems with log in and roaming profiles, trace both the server side and the client side. For client debugging, see Microsoft's KB221833 article.

More Samba configuration
This step maps your Windows groups to your Unix groups. This is an important step if you want administration rights on your Windows clients once you have logged onto the client authorizing against the PDC.

First, view the list of Windows groups. This way you know what you're mapping.

Example output of net groupmap list

It is possible that for some reason your groupmap is empty. Although unfortunate, its not a big deal as you only need the 3 mapped groups in there. Just run the following commands:

As you can see, there only mapped 3 groups. That's all that is really required. You may add more if you desire.

Unfortunate again, you add the 3 mapped groups failure and occur error “adding entry for group Domain Admins failed!”

Additionally, you may want to create a Unix group called ntadmins.

After you create your required Unix groups, you need to map them to your Windows groups replacing the ntgroup value with a Windows group listed above and unixgroup is the Unix group you wish to map the Windows group to (remember, the Unix group must already exist).

You'll need to perform this command for each Unix group you wish to map. You can now use your new groups for specific group parameters in either your global or service scopes. (Carter, Ts, Eckstein, 2007)

Final Steps
Now that you are done with configuring Samba, start it and add it to your default run level.

At this point, you should be able to log into your domain using your username and password (not root). If you wish to use a roaming profile, you'll need to tell the client. This is done by right clicking My Computer => Properties => User Profiles. Select your user and "Change type".

What are ACLs?
Extended attributes are arbitrary name/value pairs which are associated with files or directories. They can be used to store system objects like capabilities of executables and access control lists, as well as user objects. The attr(5) manual page describes which kinds of extended attributes are defined.

Access Control Lists
On UNIX and UNIX-like systems, file permissions are defined by the file mode. The file mode contains nine bits that determine access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled.

Some applications require more control over permissions than this model offers. Access control lists implement a more fine-grained permission model: In addition to the file owner, the file group, and others, additional users and groups can be granted or denied access.

How to enable ACL's
For installation and usage please take a look at HOWTO Use filesystem ACLs.

The option profile acls
This option has nothing to do with the ACL's on a filesystem. It is, rather, an emulation of an ACL to make sure that XP and 2000 clients can read their profile from the server. More information can be found in the.

Example login.bat Script
login.bat

When mapping your home drive, please make sure the letter you specify in logon drive in your global service is the same as net use X: /HOME command, where X is the drive letter.

List connected users
This bash script produce a list with all users currently logged in. It can be useful in order to determine if a specific user is logged in or if there are users still connected. For example if you want to shutdown your PDC you must be sure that no user is connected. list_users.sh

Suggested Readings

 * Using Samba, Third Edition By Gerald Carter, Jay Ts, Robert Eckstein Published by O'Reilly Media, Inc.
 * Samba Official Web Site. An excellent resource for definition and examples.
 * Samba 3.0.5 PDC. works great, but cant get admin clients from Gentoo Forums
 * Resolved: Roaming profile does not load/save.... from Gentoo Forums

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Implement_Samba_as_your_PDC" Categories: Wikify | Samba