Documentation< Previous | Contents | Next >
5.1. Primary Domain Controller
This section covers configuring Samba as a Primary Domain Controller (PDC) using the default smbpasswd backend.
1. First, install Samba, and libpam-winbind to sync the user accounts, by entering the following in a terminal prompt:
sudo apt install samba libpam-winbind
2. Next, configure Samba by editing /etc/samba/smb.conf. The security mode should be set to user, and the workgroup should relate to your organization:
workgroup = EXAMPLE
...
security = user
3. In the commented “Domains” section add or uncomment the following (the last line has been split to fit the format of this document):
domain logons = yes
logon path = \\%N\%U\profile logon drive = H:
logon home = \\%N\%U logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d
/var/lib/samba -s /bin/false %u
If you wish to not use Roaming Profiles leave the logon home and logon path options commented.
• domain logons: provides the netlogon service causing Samba to act as a domain controller.
• logon path: places the user's Windows profile into their home directory. It is also possible to configure a [profiles] share placing all profiles under a single directory.
• logon drive: specifies the home directory local path.
• logon home: specifies the home directory location.
• logon script: determines the script to be run locally once a user has logged in. The script needs to be placed in the [netlogon] share.
• add machine script: a script that will automatically create the Machine Trust Account needed for a workstation to join the domain.
In this example the machines group will need to be created using the addgroup utility see Section 1.2, “Adding and Deleting Users” [p. 181] for details.
4. Uncomment the [homes] share to allow the logon home to be mapped:
[homes]
comment = Home Directories browseable = no
read only = no create mask = 0700
directory mask = 0700 valid users = %S
5. When configured as a domain controller a [netlogon] share needs to be configured. To enable the share, uncomment:
[netlogon]
comment = Network Logon Service path = /srv/samba/netlogon guest ok = yes
read only = yes share modes = no
The original netlogon share path is /home/samba/netlogon, but according to the Filesystem Hierarchy Standard (FHS), /srv20 is the correct location for site-specific data provided by the system.
6. Now create the netlogon directory, and an empty (for now) logon.cmd script file:
sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd
You can enter any normal Windows logon script commands in logon.cmd to customize the client's environment.
7. Restart Samba to enable the new domain controller:
sudo systemctl restart smbd.service nmbd.service
8. Lastly, there are a few additional commands needed to setup the appropriate rights.
With root being disabled by default, in order to join a workstation to the domain, a system group needs to be mapped to the Windows Domain Admins group. Using the net utility, from a terminal enter:
sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d
20 http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM
Change sysadmin to whichever group you prefer. Also, the user used to join the domain needs to be a member of the sysadmin group, as well as a member of the system admin group. The admin group allows sudo use.
If the user does not have Samba credentials yet, you can add them with the smbpasswd utility, change the sysadmin username appropriately:
sudo smbpasswd -a sysadmin
Also, rights need to be explicitly provided to the Domain Admins group to allow the add machine script
(and other admin functions) to work. This is achieved by executing:
net rpc rights grant -U sysadmin "EXAMPLE\Domain Admins" SeMachineAccountPrivilege \ SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege \ SeRemoteShutdownPrivilege
9. You should now be able to join Windows clients to the Domain in the same manner as joining them to an NT4 domain running on a Windows server.