4 >The Samba 2.2 PDC HowTo </TITLE
7 CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
18 NAME="SAMBA-PDC-HOWTO"
25 NAME="SAMBA-PDC-HOWTO"
26 >The Samba 2.2 PDC HowTo</A
38 >La Trobe University<BR></SPAN
47 >Comments, corrections and additions to <TT
50 HREF="mailto:dbannon@samba.org"
55 > This document explains how to setup Samba as a Primary Domain Controller and
56 applies to version 2.2.0.
58 using these functions make sure you understand what the controller can and cannot do.
59 Please read the sections below in the Introduction.
60 As 2.2.0 is incrementally updated
61 this document will change or become out of date very quickly, make sure you are
62 reading the most current version.
65 >Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1,
66 Samba 2.0.7, TNG nor HEAD branch.</P
68 >It does apply to the current (post November 27th) cvs.</P
70 > Also available is an updated version of Jerry Carter's NTDom <A
71 HREF="samba-pdc-faq.html"
74 > that will answer lots of
75 the special 'tuning' questions that are not covered here. Over the next couple of weeks
76 some of the items here will be moved to the FAQ.
100 >What can't we do ?</A
126 >A sample conf file</A
131 >PDC Config Parameters</A
138 >Special directories</A
145 >User and Machine Accounts</A
156 HREF="#MACHINEACCOUNT"
162 >Joining the Domain</A
172 >Domain Admin Accounts</A
179 >Profiles, Policies and Logon Scripts</A
203 >Passwords and Authentication</A
217 >Syncing Passwords</A
227 >Authenticating other Samba Servers</A
260 >Getting further help</A
273 >Chapter 1. Introduction</A
276 >This document will show you one way of making Version 2.2.0
277 of Samba perform some of the tasks of a
278 NT Primary Domain Controller. The facilities described are built into Samba as a result of
279 development work done over a number of years by a large number of people. These facilities
280 are only just beginning to be officially supported and although they do appear to work reliably,
281 if you use them then you take the risks upon your self. This document does not cover the
282 developmental versions of Samba, particularly
284 HREF="http://www.samba-tng.org/"
294 HREF="http://bioserve.latrobe.edu.au/samba"
298 supports significently less of the NT Domain facilities compared with 2.2.0
301 > This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by
302 John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide
303 more detail and an insight to the development
304 cycle and should be considered 'further reading'. </P
318 >Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central
319 password database. WRT W2K, please see the section about adding machine
320 accounts and the Intro in the <A
321 HREF="samba-pdc-faq.html"
328 >Grant Administrator privileges to particular domain users on an
329 NT or W2K workstation.</P
333 >Apply policies from a domain policy file to NT and W2K (?)
338 >Run the appropriate logon script when a user logs on to the domain
343 >Maintain a user's local profile on the server.</P
347 >Validate a user using another system via smb (such as smb_pam) and
358 >What can't we do ?</A
365 > Become or work with a Backup Domain Controller (a BDC).</P
369 > Participate in any sort of trust relationship (with either Samba or NT
374 > Offer a list of domain users to User Manager for Domains
375 on the Security Tab etc).</P
379 >Be a W2K type of Domain Controller. Samba PDC will behave like
380 an NT PDC, W2K workstations connect in legacy mode.</P
390 >Chapter 2. Installing</A
393 >Installing consists of the usual download, configure, make and make
394 install process. These steps are well documented elsewhere.
396 HREF="samba-pdc-faq.html"
399 > discusses getting pre-release versions via CVS.
400 Then you need to configure the server.</P
410 >Skip this section if you have a working Samba already.
411 Everyone has their own favourite startup script. Here is mine, offered with no warrantee
414 CLASS="PROGRAMLISTING"
418 # Script to control Samba server, David Bannon, 14-6-96
421 PATH=/bin:/usr/sbin:/usr/bin
425 if [ -f /usr/local/samba/bin/smbd ]
427 /usr/local/samba/bin/smbd -D
428 /usr/local/samba/bin/nmbd -D
429 echo "Starting Samba Server"
433 if [ -f /usr/local/samba/lib/smb.conf ]
435 vi /usr/local/samba/lib/smb.conf
439 if [ -f /usr/local/samba/private/smbpasswd ]
441 vi /usr/local/samba/private/smbpasswd
445 /usr/local/samba/bin/smbstatus -b
448 psline=`/bin/ps x | grep smbd | grep -v grep`
450 if [ "$psline" != "" ]
452 while [ "$psline" != "" ]
454 psline=`/bin/ps x | fgrep smbd | grep -v grep`
460 echo "Stopped $pid line = $psline"
465 echo "Stopped Samba servers"
468 psline=`/bin/ps x | grep smbd | grep -v grep`
470 if [ "$psline" != "" ]
472 while [ "$psline" != "" ]
474 psline=`/bin/ps x | fgrep smbd | grep -v grep`
480 echo "Stopped $pid line = $psline"
485 echo "Stopped Samba servers"
486 psline=`/bin/ps x | grep nmbd | grep -v grep`
492 echo "Stopped Name Server "
494 echo "Stopped Name Servers"
497 echo "usage: samba {start | restart |stop | conf | pw | who}"
502 > Use this script, or some other one, you will need to ensure its used while the machine
503 is booting. (This typically involves <TT
507 assuming that there is a script called
510 >/etc/rc.d/init.d</TT
511 > further down in this document.)</P
527 >A sample conf file</A
530 >Here is a fairly minimal config file to do PDC. It will also make the server
531 become the browse master for the
532 specified domain (not necessary but usually desirable). You will need to change only
533 two parameters to make this
541 you will need to put your own name (not mine!) in the <TT
543 >domain admin users</TT
545 Some of the parameters are discussed further down this document.</P
547 >Assuming you have used the default install directories, this file should appear as
550 >/usr/local/samba/lib/smb.conf</TT
552 writable by anyone except root.</P
560 >The 'add user script' parameter is a work-around, watch for changes !</P
564 CLASS="PROGRAMLISTING"
570 workgroup = { Your domain name here }
571 wins server = { ip of a wins server if you have one }
572 encrypt passwords = yes
574 logon script = scripts\%U.bat
575 domain admin group = @adm
576 add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
584 directory mask = 0700
588 path = /usr/local/samba/netlogon
599 >PDC Config Parameters</A
607 >There are a huge range of parameters that may appear in a smb.conf file. Some
608 that may be of interest to a PDC are :</B
615 >This parameter specifies a script (or program) that will be run
616 to add a user to the system. Here it is being used to add a machine, not a user.
617 This is probably not very nice and may change. But it does work !</P
619 >For this example, I have a group called 'machines', entries can be added to
623 > using a programme called <TT
627 the other parameters are chosen as suitable for a machine account. Works for
628 RH Linux, your system may require changes.</P
631 >domain admin group = @adm</DT
634 >This parameter specifies a unix group whose members will be granted
635 admin privileges on a NT workstation when
636 logged onto that workstation. See the section called <A
642 >domain admin users = user1 users2</DT
645 >It appears that this parameter does not funtion correctly at present.
646 Use the 'domain admin group' instread. This parameter specifies a unix user who will
647 be granted admin privileges
648 on a NT workstation when
649 logged onto that workstation. See the section called <A
655 >encrypt passwords = yes</DT
658 >This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that
659 turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you
660 should) you must use encrypted passwords.</P
663 >logon script = scripts\%U.bat</DT
666 >This will make samba look for a logon script named after the user
668 See the section further on called <A
679 >Note that the slash is like this '\', not like this '/'.
680 NT is happy with both, win95 is not !</P
688 >Lets you specify where you would like users profiles kept. The default, that is in the users
689 home directory, does encourage a bit of fiddling.</P
701 >Special directories</A
704 >You need to create a couple of special files and directories. Its nice
705 to have some of the binaries handy too, so I create links to them. Assuming
706 you have used the default samba location and have not
707 changed the locations mentioned in the sample config file, do the following :</P
709 CLASS="PROGRAMLISTING"
712 mkdir /usr/local/samba/netlogon
713 mkdir /usr/local/samba/netlogon/scripts
714 mkdir /usr/local/samba/private
715 touch /usr/local/samba/private/smbpasswd
716 chmod go-rwx /usr/local/samba/private/smbpasswd
718 ln -s /usr/local/samba/bin/smbpasswd
719 ln -s /usr/local/samba/bin/smbclient
720 ln -s /etc/rc.d/init.d/samba</PRE
722 >Make sure permissions are appropriate !</P
724 >OK, if you have used the scripts above and have a path to where the links are do this to start up
725 the Samba Server :</P
732 >Instead, you might like to reboot the machine to make sure that you
733 got the init stuff right. Any way, a quick look in the logs
736 >/usr/local/samba/var/log.smbd</TT
739 > /usr/local/samba/var/log/nmbd</TT
741 will give you an idea of what's happening. Assuming all is well, lets create
750 >Chapter 3. User and Machine Accounts</A
763 >This section is very nearly out of date already !</I
765 appears that while you are reading it, Jean Francois Micou is making it
766 redundant ! Jean Francois is adding facilities to add users
767 (via User Manager) and machines (when joining the domain) and it looks like these facilities will
768 make it into the official release of 2.2.</P
770 >Every user and NTws (and other samba servers) that will be on the domain
771 must have its own passwd entry in both <TT
777 >/usr/local/samba/private/smbpasswd</TT
783 only to reserve a user ID. The NT encrypted password is stored in
786 >/usr/local/samba/private/smbpasswd</TT
788 (Note that win95/98 machines don't need an account as they don't do
789 any security aware things.)</P
791 >Samba 2.2 will now create these entries for us. Carefull set up is required
792 and there may well be some changes to this system before its released.
800 NAME="MACHINEACCOUNT"
810 >There is an entry in the ntdom <A
811 HREF="samba-pdc-faq.html"
814 > explaining how to create
815 machine entries manually.</P
827 > to have the machine accounts created when a machine joins
828 the domain a number of conditions must be met :</B
832 >Only root can do it !</DT
835 >There must be an entry in <TT
837 >/usr/local/samba/private/smbpasswd</TT
839 for root and root must be mentioned in <TT
843 be fixed some time in the future so any 'domain admin' can do it. If you don't
844 like having root as a windows logon account, make the machine
845 entries manually (both of them).</P
854 >Again, this looks a bit like a 'work around'. Use a suitable
855 command line to add a machine account <A
859 and pass it %m$, that is %m to get machine name plus the '$'. Now, this
860 means you cannot use the <TT
863 > to really add users .... </P
869 >This automatic creation of machine accounts does not work for
870 NT4ws at present. Watch this space.</P
881 >Joining the Domain</A
884 >You must have either added the machine account entries manually (NT4 ws)
885 or set up the automatic system (W2K), <A
886 HREF="#MACHINEACCOUNT"
887 >see Machine Accounts</A
889 before proceeding.</P
908 >this step may not be necessary some time in the near future</I
910 On the samba server that is the PDC, add a machine account manually
911 as per the instructions in the <A
912 HREF="samba-pdc-faq.html"
916 Then give the command <B
918 >smbpasswd -a -m {machine}</B
919 > substituting in the
920 client machine name.</P
924 > Logon to the NTws in question as a local admin, go to the
927 >Control Panel, Network IdentificationTag</B
939 > Enter the Domain name (from the 'Workgroup' parameter, smb.conf)
940 in the Domain Field.</P
944 > Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'.
960 >Logon to the W2k machine as Administrator, go to the Control
961 Panel and double click on <B
963 >Network and Dialup Connections</B
975 >Network Identification</B
987 > and enter the domain name. Press 'OK'.</P
991 >Now enter a user name and password for a Domain Admin
994 >(Who must be root until a pre-release bug is fixed)</I
1000 >Wait for the confirmation, reboot when prompted.</P
1004 >To remove a W2K machine from the domain, follow the first two steps then
1008 >, enter a work group name (or just WORKGROUP) and follow
1025 >Again, doing it manually (cos' the auto way is not working pre-release).
1028 In our simple case every domain user should have an account on the PDC. The
1029 account may have a null shell if they are not allowed to log on to the unix
1030 prompt. Again they need an entry in both the <TT
1036 >/usr/local/samba/private/smbpasswd</TT
1037 >. Again a password is
1038 not necessary in <TT
1042 of the home directory is honoured.
1043 To make an entry for a user called Joe Blow you would typically do the following :</P
1047 >adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</B
1052 >smbpasswd -a joeblow</B
1055 >And you will prompted to enter a password for Joe. Ideally he will be
1056 hovering over your shoulder and will, when asked, type in a password of
1057 his choice. There are a number of scripts and systems to ease the migration of users
1058 from somewhere to samba. Better start looking !</P
1066 >Domain Admin Accounts</A
1069 >Certain operations demand that the logged on user has Administrator
1070 privileges, typically installing software and
1071 doing maintenance tasks. It is very simple to appoint some users as Domain Admins,
1072 most likely yourself. Make
1073 sure you trust the appointee !</P
1075 >Samba 2.2 recognizes particular users as being
1076 domain admins and tells the NTws when it thinks that it has got one logged on.
1077 In the smb.conf file we declare
1080 >Domain Admin group = @adm</TT
1082 Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when
1083 logged onto the Domain. They will have full Administrator rights
1084 including the rights to change permissions on files and run the system
1085 utilities such as Disk Administrator. Add users to the group by editing <TT
1088 >. You do not need to use the 'adm' group, choose any one you like.</P
1090 >Further, and this is very new, they will be allowed to create a
1091 new machine account when first connecting a new NT or W2K machine to
1094 >However, at present, ie pre-release, only a Domain Admin who
1095 also happens to be root can do so. </I
1104 >Chapter 4. Profiles, Policies and Logon Scripts</A
1115 >NT Profiles should work if you have followed the setup so far.
1116 A user's profile contains a whole lot of their personal settings,
1117 the contents of their desktop, personal 'My Documents' and so on.
1118 When they log off, all of the profile is copied to their directory
1119 on the server and is downloaded again when they logon on again, possibly
1120 on another client machine.</P
1122 >Sounds great but can be a bit of a bug bear sometimes. Users let
1123 their profiles get too big and then complain about how long it takes
1124 to log on each time. This sample setup only supports NT profiles,
1125 rumor has it that it is also possible to do the same on Win95, my
1126 users don't know and I'm not telling them.</P
1134 >There is more info about Profiles (including for W95/98)
1136 HREF="samba-pdc-faq.html"
1152 >Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol
1153 file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws.
1154 Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or
1155 maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles
1156 on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor
1157 that comes with NTws.</P
1166 HREF="samba-pdc-faq.html"
1169 > for pointers on how to get a suitable Policy Editor.</P
1173 >The Policy Editor (and associated files) will create a
1178 parameters Microsoft thought of and parameters you specify by making your own
1181 >In our example configuration here, Samba will expect to find
1188 >/usr/local/samba/netlogon</TT
1189 >. Needless to say (I hope !),
1190 it is vitally important that ordinary users don't have
1191 write permission to the Policy files.</P
1202 >In the sample config file above there is a line
1205 >logon script = scripts\%U.bat</TT
1214 >Note that the slash is like this '\' not like this '/'.
1215 NT is happy with both, win95 is not !</P
1219 >This allows you to run a dos batch file every time someone logs on. The batch
1220 file is located on the server, in the sample install mentioned here,
1223 >/usr/local/samba/netlogon/scripts</TT
1225 is named after the user with <TT
1229 Blow's script is called <TT
1231 >/usr/local/samba/netlogon/scripts/joeblow.bat</TT
1240 >There is a suggestion that user names longer than 8 characters may cause
1241 problems with some systems being unable to run logon scripts. This is confirmed in earlier
1242 versions when connecting using W95, comments about other combinations ??</P
1246 >You could use a line like this <TT
1248 >logon script = default.bat</TT
1252 >/usr/local/samba/netlogon/default.bat</TT
1253 > for any client and every
1254 user. Maybe you could use %m and get a client machine dependant logon script.
1255 You get the idea...</P
1257 >Note that the file is a dos batch file not a Unix script. It runs dos commands on the client
1258 computer with the logon user's permissions. It must be a dos file with each line ending with
1259 the dos cr/lf not a nice clean newline. Generally,
1260 its best to create the initial file on a DOS system and copy it across.</P
1262 >There is lots of very clever uses of the Samba replaceable variables such
1263 ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to
1264 give you control over which script runs when a particular person logs
1265 on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</P
1267 >Again, it is vitally important that ordinary users don't have write
1268 permission to other peoples, or even probably their own, logon script files.</P
1270 >A typical logon script is reproduced below. Note that it runs separate
1271 commands for win95 and NT, that's because NT has slightly different behaviour
1275 > command. Its useful for lots of
1276 other situations too. I don't know what syntax to use for win98, I don't use it
1279 CLASS="PROGRAMLISTING"
1282 rem Default logon script, create links to this file.
1284 net time \\bioserve /set /yes
1286 if %OS%.==Windows_NT. goto WinNT
1289 net use k: \\trillion\bio_prog
1290 net use p: \\bcfile\homes
1293 net use k: \\trillion\bio_prog /persistent:no
1294 net use p: \\bcfile\homes /persistent:no
1305 >Chapter 5. Passwords and Authentication</A
1308 >So far our configuration assumes that ordinary users don't have unix logon access. A change
1315 > line above would allow unix logon
1316 but it would be with passwords that may
1317 be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users
1318 that they need to change their passwords in two seperate places is not fun.
1319 Further, even if they cannot do a unix logon there are other processes that
1320 might require authentication. We have a nice securely encrypted password in
1323 >/usr/local/samba/private/smbpasswd</TT
1324 >, why not use it ?</P
1339 >Syncing Passwords</A
1342 >Yes, its possible and seems the easiest way (initially anyway).
1344 HREF="samba-pdc-faq.html"
1348 do so in the sections <I
1350 >What is password sync and should I use it ?</I
1353 > How do I get remote password (unix and SMB) changing working ?</I
1365 >Pam enabled systems have a much better solution available. The Samba
1366 PDC server will offer to authenticate domain users to other processes
1367 (either on this server or on the domain). With a suitable pam stack
1369 HREF="http://www.csn.ul.ie/~airlied/pam_smb/"
1373 you can get any pam aware application looking to the samba password and
1374 can leave the password field in <TT
1389 >Authenticating other Samba Servers</A
1392 >In a domain that has a number of servers you only need one password database.
1393 The machines that don't have their own ask the PDC to check for them.
1394 This will work fine for a domain controlled by either a Samba or NT machine.</P
1396 >To do so the Samba machine must be told to refer to the PDC and where the PDC is.
1397 See the section in the NTDom <A
1398 HREF="samba-pdc-faq.html"
1403 >How do I get my samba server to
1404 become a member ( not PDC ) of an NT domain?</I
1414 >Chapter 6. Background</A
1433 >It might help you understand the limitations of the PDC in Samba if you
1434 read something of its history. Well, the history as I understand it anyway.</P
1436 >For many years the Samba team have been developing Samba, some time ago
1437 a number of people, possibly lead by Luke Leighton started contributing NT
1438 PDC stuff. This was added to the 'head' stream (that would eventually
1439 become the next version) and later to a seperate stream (NTDom). They did so
1440 much that eventually this development stream was so mutated that it could not
1441 be merged back into the main stream and was abandoned towards the end of 1999.
1442 And that was very sad because many users, myself include had become heavily
1443 dependant on the NTController facilities it offered. Oh well...</P
1445 >The NTDom team continued on with their new found knowledge however and
1446 built the TNG stream. Intended to be carefully controlled so that it can be
1447 merged back into the main stream and benefiting from what they learnt, it is
1448 a very different product to the origional NTDom product. However, for a
1449 number of reasons, the merge did not take place and now TNG is being developed
1451 HREF="http://www.samba-tng.org"
1453 >http://www.samba-tng.org</A
1456 >Now, the NTDom things that the main strean 2.0.x version does is based more
1457 on the old (initial version) abandoned code than on the TNG ideas. It appears
1458 that version 2.2.0 will also include an improved version of the 2.0.7 domain
1459 controller charactistics, not the TNG ways. The developers have indicated
1460 that 2.2.0 will be further developed incrementally and the ideas from TNG
1461 incorporated into it.</P
1463 >One more little wriggle is worth mentioning. At one stage the NTDom
1464 stream was called Samba 2.1.0-prealpha and similar names. This is most
1465 unfortunate because at least one book published advises people who want to
1466 use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon
1467 be called 2.2.0 and NOT officially supporting NTDom Controlling functions,
1468 the potential for confusion is certainly there.</P
1479 >There is a document on the Samba mirrors called <I
1483 >. It offers the 'best guess' of what is planned for future releases
1486 >The future of Samba as a Primary Domain Controller appears rosie, however
1487 be aware that its the future, not the present. The developers are strongly committed
1488 to building a full featured PDC into Samba but it will take time. If this
1489 version does not meet your requirements then you should consider (in no particular
1496 > Wait. No, we don't know how long. Repeated asking won't help.</P
1500 >Investigate the development versions, TNG perhaps or HEAD where new code is being added
1501 all the time. Realise that development code is often unstable, poorly documented and subject to change.
1502 You will need to use cvs to download development versions.</P
1506 >Join one of the Samba mailing lists so that you can find out
1507 what is happening on the 'bleeding edge'.</P
1517 >Getting further help</A
1520 >This document cannot possibly answer all your questions. Please understand that its very
1521 likely that someone has been confrounted by the same problem that you have. The
1523 HREF="samba-pdc-faq.html"
1527 discusses a number of possible paths to take to get further help :</P
1533 >Documents on the Samba Sites.</P
1537 >Other web sites.</P
1545 >There is some discussion about guide lines for using the Mailing Lists on the
1547 HREF="samba-pdc-faq.html"
1551 please read them before posting.</P