Build A Primary Domain Controller With Samba

Managing heterogenous networks is one of the bigger
challenges facing the harried network administrator. Users want what
they want: Linux/UNIX, the many Windows variants, OS/2, Macintosh, OS
X, who knows what else. Bringing cooperation and harmony to all of
these incompatible platforms is made possible by Samba.

Samba is the Open Source implementation of the SMB/CIFS (server
messaging block/ common Internet file system) protocols. CIFS is an
evolution of SMB, capable not only of enabling file and printer
sharing across different platforms, over various transport protocols,
but is also a transport protocol itself. (See the SNIA link below for
all the gory, yet fascinating details.) Samba is most commonly used to
enable file and printer sharing between Windows clients and Linux/UNIX
servers. As a file server, it ranks at the top of the class,
outperforming Windows NT/2000 handily, both in speed and reliability.

Domain Controller

Microsoft’s concept of a Primary Domain
Controller is most useful, as it simplifies a number of network
administration chores. It provides a “single sign-on”, storing
information about domain users, and providing user
authentication. User’s profiles are stored on the PDC; the PDC handles
all authentication requests, allowing users to access different
services in the domain without needing multiple authentications.

Samba makes a fine NT-type PDC. It supports roaming profiles,
domain logon from all Windows clients, Windows NT4-type system
policies, name services, master browser, and user-level security for
Windows 9x/ME clients. Which in my opinion do not belong in a business
environment, but if they’re there and you have to deal with them,
Samba doesn’t mind in the least.

Samba cannot act as a Backup Domain Controller to a Windows
PDC. There is a way to use two Samba machines as PDC/BDC. (See
Resources) As a belt-n-suspenders kinda gal, some kind of redundancy
is essential.

System Requirements

Samba runs on just about any Linux or
UNIX, including Mac OS X, OS/2, AmigaDOS, and Netware. For this
article I’m using Red Hat Linux 7.2 and Samba 2.2.3a. The current
stable version is 2.2.4. It pays to start with the latest stable
version, as the Samba team continually adds improvements and
bugfixes. Samba 3.0 adds native connectivity with Microsoft’s Active
Directory, support for Microsoft’s version of Kerberos, SAM (Security
Accounts Manager) replication, and doubtless many other fine
goodies. It’s not ready for a production server yet, as it is still in
alpha. Worth waiting for.

Hardware requirements, as always, depend on the load to be
handled. As users cannot access network services without the PDC, this
is not the place to pinch pennies. A pair of Celerons or Durons will
hold up better under load than a single Pentium or Athlon. More
important are memory, the disk subsystem, and the NIC. Lots and lots
of RAM, as Samba spawns a daemon for every user connection. A 3-disk
SCSI RAID 5 array gives speed and data protection. I’ve learned the
hard way that it’s worth paying the price for a server-quality
Ethernet card. Not only are they more durable and better-performing,
they come with rafts of nice features you don’t get with the $20
specials.

Installation

Download Samba here. Also on this
page are various clients and utilities. As always with Linux, there
are two ways to install an application: RPM, or compile from
source. (OK, there are three: Debian’s apt-get. As I don’t speak
Debian, I’ll leave that to the Debian Linux gurus.) RPM is easier,
compile from source gives more control. Whichever method you choose,
be sure to remove any existing Samba installations first.

rpm -qa|grep samba

tells you if Samba is on your system. If it returns a blank line,
no Samba. Otherwise it will list the package names. Removal is most
easy:

rpm -e (package name)

Red Hat makes 3 Samba RPMs, so be sure to remove all installed
packages. Don’t worry if you don’t find all three on your system. The
Samba team supplies a single RPM for Red Hat. That’s the one I use.

smb.conf, the Center of the Universe

Depending on which
Linux distribution you have, and how Samba was installed, smb.conf can
be in a number of locations. The Red Hat RPM stows it in /etc/samba,
which thoughtfully contains all the Samba configuration files. No need
to send out a search expedition, simply use locate:

Locate smb.conf

It is helpful to print it out and read it. It’s large, but don’t
let that scare you- it is well-commented and contains good
instructions. The Samba team provides a graphical interface,
SWAT. Webmin is a nice graphical frontend with a Samba
module. However, I don’t recommend either of them. SWAT has a habit of
re-arranging smb.conf to suit itself, and it’s really not hard to get
used to editing a text file. I like being able to copy & paste the
whole thing. Can’t do that with a GUI. One advantage of Webmin is it
allows delegating specific administrative functions to other
users. Nice for sharing the work, while restricting what your helpers
can get into.

The structure of smb.conf is simple and logical: one part is
“global”, the other is “shares”. Either # or ; comments
out a single line. The “global” values can be smushed around in any
order; however, in the interests of readability, and knowing why you
did something a certain way, start with a comment, then list the
values:

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup =
MYGROUP

More comments are more better, it’s amazing how something that
seemed crystal-clear turns opaque after a few weeks.

“shares” syntax is simple: each share name is enclosed in square
brackets, followed by the options that apply to that share. For
example:

[shared]
comment = shared folder for all users
path =
/shared
browseable = no
writeable = yes

Important tip to prevent mysterious errors: Values in the “shared”
section override values in the “global” section. For example, Samba
permits any user who correctly authenticates (usually login-password)
access to listed shares. However, shares can be fine-tuned:

[shared1]
comment = shared folder for users of group1
path = /shared1
browseable = no
writeable = yes
valid users = janis, jimi, jim

Only Janis, Jimi, and Jim can access shared1.

Basic Steps

  1. Server and network settings
  2. Security settings
  3. Roaming profiles
  4. Shares
  5. Netlogon
  6. User and machine accounts
  7. Configure clients

We’ll cover the gritty details in Part 2.

Resources:

Samba
Storage Networking Industry Association .pdf on CIFS
PC Magazine performance tests
Webmin
Samba as a backup domain controller

Latest Articles

Follow Us On Social Media

Explore More