Build A Primary Domain Controller With Samba, Part 2

Our recipe for quick configuration will make it easy for you to drop a Samba-based PDC into your Windows network for single sign-on authentication, roaming profiles, and more.

 By Carla Schroder
Page 1 of 2
Print Article
Second of two parts. Read Part One.

Today we leap right into smb.conf and configure our Samba primary domain controller. Remember- There Can Be Only One. Do not use this if there is already a PDC on your network.

It may help to print and annotate smb.conf. Be sure to make a backup copy before changing anything. Samba's man pages are exceptionally useful, start with man samba and man smb.conf. Some comments below are abbreviated, see smb.conf for the full text. A complete list of global parameters is in man smb.conf. You can't just invent them- must use the official Samba parameters.

Put your domain name and server hostname here:
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYGROUP
netbios name = HOSTNAME

# server string is the equivalent of the NT Description field
server string = Samba PDC %v %h
%v displays the Samba version number, %h displays the hostname. This shows up in Network Neighborhood. See man smb.conf for a full explanation of all variable substitutions. Or say anything you want:
server string = Carla's Samba server, and a darn fine one it is

Define subnets:
# This option is important for security...
hosts allow = 192.168.1., 127.
hosts allow =,
The localhost will always be allowed access, unless denied by a "hosts deny" option. Use space, comma, or tab delimiting. Individual IPs can be excluded here with the EXCEPT keyword:
hosts allow = 192.168., EXCEPT

# Put a capping on the size of the log files (in Kb).
max log size = 50
Side note: I like to isolate /var in its own partition, to prevent crashes if something causes a log file to grow hugely, such as a DOS attack or other mayhem.

# Security mode...
security = user

# You may wish to use password encryption....
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to # update the Linux system password also.
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated*

# Browser Control Options:
local master = yes

#OS Level ...
os level = 64

# Domain Master specifies Samba to be the Domain Master Browser....
domain master = yes

# Preferred Master ...
preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
domain logons = yes

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
logon path = \\%L\Profiles\%U

Add these lines:
logon home = \\%L\%U
logon drive = H: (or whatever you like)
logon script = netlogon.bat

#=== shares ===
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775

comment = Network Logon Service
path = /home/samba/netlogon
writable = no
share modes = no

path = /home/samba/profiles
browseable = no

This article was originally published on Jul 17, 2007
Get the Latest Scoop with Networking Update Newsletter