Build A Primary Domain Controller With Samba, Part 2
Our recipe for quick configuration will make it easy for you to drop a Samba-based PDC into your Windows network for single sign-on authentication, roaming profiles, and more.
Today we leap right into smb.conf and configure our Samba primary domain controller. Remember- There Can Be Only One. Do not use this if there is already a PDC on your network.
It may help to print and annotate smb.conf. Be sure to make a backup copy before changing anything. Samba's man pages are exceptionally useful, start with man samba and man smb.conf. Some comments below are abbreviated, see smb.conf for the full text. A complete list of global parameters is in man smb.conf. You can't just invent them- must use the official Samba parameters.
Put your domain name and server hostname here:
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYGROUP
netbios name = HOSTNAME
# server string is the equivalent of the NT Description field
server string = Samba PDC %v %h
%v displays the Samba version number, %h displays the hostname. This shows up in Network Neighborhood. See man smb.conf for a full explanation of all variable substitutions. Or say anything you want:
server string = Carla's Samba server, and a darn fine one it is
# This option is important for security...
hosts allow = 192.168.1., 127.
hosts allow = 192.168.1.0, 127.0.0.1/255.255.255.0
The localhost 127.0.0.1 will always be allowed access, unless denied by a "hosts deny" option. Use space, comma, or tab delimiting. Individual IPs can be excluded here with the EXCEPT keyword:
hosts allow = 192.168., EXCEPT 192.168.1.100
# Put a capping on the size of the log files (in Kb).
max log size = 50
Side note: I like to isolate /var in its own partition, to prevent crashes if something causes a log file to grow hugely, such as a DOS attack or other mayhem.
# Security mode...
security = user
# You may wish to use password encryption....
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
# The following are needed to allow password changing from Windows to
# update the Linux system password also.
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated*
# Browser Control Options:
local master = yes
#OS Level ...
os level = 64
# Domain Master specifies Samba to be the Domain Master Browser....
domain master = yes
# Preferred Master ...
preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
domain logons = yes
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
logon path = \\%L\Profiles\%U
Add these lines:
logon home = \\%L\%U
logon drive = H: (or whatever you like)
logon script = netlogon.bat
#=== shares ===
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
comment = Network Logon Service
path = /home/samba/netlogon
writable = no
share modes = no
path = /home/samba/profiles
browseable = no