Build A Primary Domain Controller With Samba, Part 2

Our recipe for quick configuration will make it easy for you to drop a Samba-based PDC into your Windows network for single sign-on authentication, roaming profiles, and more.

 By Carla Schroder | Posted Jul 17, 2007
Page 1 of 2
Print Article


EUC with HCI: Why It Matters

Second of two parts. Read Part One.

Today we leap right into smb.conf and configure our Samba primary domain controller. Remember- There Can Be Only One. Do not use this if there is already a PDC on your network.

It may help to print and annotate smb.conf. Be sure to make a backup copy before changing anything. Samba's man pages are exceptionally useful, start with man samba and man smb.conf. Some comments below are abbreviated, see smb.conf for the full text. A complete list of global parameters is in man smb.conf. You can't just invent them- must use the official Samba parameters.

Put your domain name and server hostname here:
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYGROUP
netbios name = HOSTNAME

# server string is the equivalent of the NT Description field
server string = Samba PDC %v %h
%v displays the Samba version number, %h displays the hostname. This shows up in Network Neighborhood. See man smb.conf for a full explanation of all variable substitutions. Or say anything you want:
server string = Carla's Samba server, and a darn fine one it is

Define subnets:
# This option is important for security...
hosts allow = 192.168.1., 127.
hosts allow =,
The localhost will always be allowed access, unless denied by a "hosts deny" option. Use space, comma, or tab delimiting. Individual IPs can be excluded here with the EXCEPT keyword:
hosts allow = 192.168., EXCEPT

# Put a capping on the size of the log files (in Kb).
max log size = 50
Side note: I like to isolate /var in its own partition, to prevent crashes if something causes a log file to grow hugely, such as a DOS attack or other mayhem.

# Security mode...
security = user

# You may wish to use password encryption....
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to # update the Linux system password also.
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated*

# Browser Control Options:
local master = yes

#OS Level ...
os level = 64

# Domain Master specifies Samba to be the Domain Master Browser....
domain master = yes

# Preferred Master ...
preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
domain logons = yes

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
logon path = \\%L\Profiles\%U

Add these lines:
logon home = \\%L\%U
logon drive = H: (or whatever you like)
logon script = netlogon.bat

#=== shares ===
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775

comment = Network Logon Service
path = /home/samba/netlogon
writable = no
share modes = no

path = /home/samba/profiles
browseable = no

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter

By submitting your information, you agree that enterprisenetworkingplanet.com may send you ENTERPRISENetworkingPLANET offers via email, phone and text message, as well as email offers about other products and services that ENTERPRISENetworkingPLANET believes may be of interest to you. ENTERPRISENetworkingPLANET will process your information in accordance with the Quinstreet Privacy Policy.