Build A Primary Domain Controller With Samba, Part 2 - Page 2

 By Carla Schroder
Page 2 of 2   |  Back to Page 1
Print Article

Now create a machines and an admin group:
[root@windbag carla]# /usr/sbin/groupadd -g 200 admins
[root@windbag carla]# /usr/sbin/groupadd -g 201 machines

Be sure to select a group ID that does not conflict with existing groups, groupadd won't let you anyway. (In case you were wondering, my PC has a noisy fan- hence the hostname windbag.)

Next, create the directories as named in smb.conf:
[root@windbag carla]# mkdir -m 0775 /home/samba /home/samba/netlogon
[root@windbag carla]# chown root.admins /home/samba/netlogon
[root@windbag carla]# mkdir /home/samba/profiles
[root@windbag carla]# chown 1757 /home/samba/profiles

Do this exactly as shown, for security reasons- please see Resources for information on Linux file permissions.

Now add machine accounts. Each computer on the network needs an account, as well as each user. This adds a Unix account:
[root@windbag carla]# /usr/sbin/useradd -g machines -d /dev/null -c "machine nickname" -s /bin/false test$
Which means belonging to the machines group, no home directory, cutesy nickname of your choice, no shell access; I used "test" as the NetBIOS or hostname, and $ identifies it as a trust account.

Create authentication and lock password:
[root@windbag carla]# passwd -l test$
Changing password for user test$
Locking password for user test$
passwd: Success

Now add to /etc/samba/smbpasswd:
[root@windbag carla]# /usr/bin/smbpasswd -a -m test
If /etc/samba/smbpasswd does not exist, smbpasswd will create it. Note that smbpasswd does not require $ appended to the machine name. smbpasswd may not be in /usr/bin/, use the locate command to find it. smbpasswd exists twice: as a command, and as text file.

A quick way to read a file is using the cat command:
[root@windbag carla]# cat /etc/samba/smbpasswd

For your human users, the procedure is the same: useradd and passwd to create a Unix account, only don't lock the password, then smbpasswd for Samba. There is probably a clever way to automate this with a shell script. Unfortunately I'm a lousy scripter, so I'm afraid I can't be helpful here.

Run the command "testparm" to find syntax errors, see man testparm for all options. Start Samba: as root, type /etc/rc.d/init.d/smb start
Stop: /etc/rc.d/init.d/smb stop
Test: smbclient -L localhost

That takes care of the server configuration. Now join Windows clients to your domain. Windows 9x/ME is easy: make sure that Client For Microsoft Networks is selected as the Primary Network Logon. Then Client For Microsoft Networks -> Properties -> Logon to NT Domain.

For Windows NT/2000, set the domain name, then be sure that your first logon is as root. An ordinary user will not work. After the initial root login, any user can log in on their own account. If the machine account was created manually, be sure to not select "Create a Computer Account In the Domain." The Samba PDC howto tells how to create machine accounts "on the fly."

Windows XP is a bear. The Home edition cannot be joined to a domain. XP Professional sometimes requires a registry patch to connect to Samba, sometimes it goes as easily as Win2000. Please visit the smb-clients mail list for the best help.

I left out creating user and printer shares on purpose, it's simple and abundantly documented. The O'Reilly book "Using Samba" is invaluable, especially for troubleshooting, and so is the documentation on samba.org. The most common mistakes are typos in smb.conf. Be kind to yourself- get enough sleep and take it slowly.


Samba.org documentation, including all man pages
Linux File Permissions
Samba-PDC LDAP howto
Samba PDC howto
Samba mail lists
This article was originally published on Jul 17, 2007
Get the Latest Scoop with Networking Update Newsletter