2 The Samba 2.2 PDC HowTo
7 _________________________________________________________________
8 _________________________________________________________________
10 Comments, corrections and additions to <D.Bannon@latrobe.edu.au>
12 This document explains how to setup Samba as a Primary Domain
13 Controller and applies to version 2.2.0. Before using these functions
14 make sure you understand what the controller can and cannot do. Please
15 read the sections below in the Introduction. As 2.2.0 is incrementally
16 updated this document will change or become out of date very quickly,
17 make sure you are reading the most current version.
19 Please note this document does not apply to Samba2.2alpha0,
20 Samba2.2alpha1, Samba 2.0.7, TNG nor HEAD branch.
22 It does apply to the current (post November 27th) cvs.
24 Also available is an updated version of Jerry Carter's NTDom FAQ that
25 will answer lots of the special 'tuning' questions that are not
26 covered here. Over the next couple of weeks some of the items here
27 will be moved to the FAQ.
45 3. User and Machine Accounts
53 4. Profiles, Policies and Logon Scripts
59 5. Passwords and Authentication
63 Authenticating other Samba Servers
70 _________________________________________________________________
72 Chapter 1. Introduction
74 This document will show you one way of making Version 2.2.0 of Samba
75 perform some of the tasks of a NT Primary Domain Controller. The
76 facilities described are built into Samba as a result of development
77 work done over a number of years by a large number of people. These
78 facilities are only just beginning to be officially supported and
79 although they do appear to work reliably, if you use them then you
80 take the risks upon your self. This document does not cover the
81 developmental versions of Samba, particularly Samba-TNG
83 Note that Samba 2.0.7 supports significently less of the NT Domain
84 facilities compared with 2.2.0
86 This document does not replace the text files DOMAIN_CONTROL.txt,
87 DOMAIN.txt (by John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth
88 Casson Leighton). Those documents provide more detail and an insight
89 to the development cycle and should be considered 'further reading'.
90 _________________________________________________________________
94 * Permit 'domain logons' for Win95/98, NT4 and W2K workstations from
95 one central password database. WRT W2K, please see the section
96 about adding machine accounts and the Intro in the FAQ.
97 * Grant Administrator privileges to particular domain users on an NT
99 * Apply policies from a domain policy file to NT and W2K (?)
101 * Run the appropriate logon script when a user logs on to the domain
103 * Maintain a user's local profile on the server.
104 * Validate a user using another system via smb (such as smb_pam) and
106 _________________________________________________________________
110 * Become or work with a Backup Domain Controller (a BDC).
111 * Participate in any sort of trust relationship (with either Samba
113 * Offer a list of domain users to User Manager for Domains on the
115 * Be a W2K type of Domain Controller. Samba PDC will behave like an
116 NT PDC, W2K workstations connect in legacy mode.
117 _________________________________________________________________
119 Chapter 2. Installing
121 Installing consists of the usual download, configure, make and make
122 install process. These steps are well documented elsewhere. The FAQ
123 discusses getting pre-release versions via CVS. Then you need to
124 configure the server.
125 _________________________________________________________________
129 Skip this section if you have a working Samba already. Everyone has
130 their own favourite startup script. Here is mine, offered with no
135 # Script to control Samba server, David Bannon, 14-6-96
138 PATH=/bin:/usr/sbin:/usr/bin
142 if [ -f /usr/local/samba/bin/smbd ]
144 /usr/local/samba/bin/smbd -D
145 /usr/local/samba/bin/nmbd -D
146 echo "Starting Samba Server"
150 if [ -f /usr/local/samba/lib/smb.conf ]
152 vi /usr/local/samba/lib/smb.conf
156 if [ -f /usr/local/samba/private/smbpasswd ]
158 vi /usr/local/samba/private/smbpasswd
162 /usr/local/samba/bin/smbstatus -b
165 psline=`/bin/ps x | grep smbd | grep -v grep`
167 if [ "$psline" != "" ]
169 while [ "$psline" != "" ]
171 psline=`/bin/ps x | fgrep smbd | grep -v grep`
177 echo "Stopped $pid line = $psline"
182 echo "Stopped Samba servers"
185 psline=`/bin/ps x | grep smbd | grep -v grep`
187 if [ "$psline" != "" ]
189 while [ "$psline" != "" ]
191 psline=`/bin/ps x | fgrep smbd | grep -v grep`
197 echo "Stopped $pid line = $psline"
202 echo "Stopped Samba servers"
203 psline=`/bin/ps x | grep nmbd | grep -v grep`
209 echo "Stopped Name Server "
211 echo "Stopped Name Servers"
214 echo "usage: samba {start | restart |stop | conf | pw | who}"
219 Use this script, or some other one, you will need to ensure its used
220 while the machine is booting. (This typically involves /etc/rc.d,
221 we'll be assuming that there is a script called samba in
222 /etc/rc.d/init.d further down in this document.)
223 _________________________________________________________________
229 Here is a fairly minimal config file to do PDC. It will also make the
230 server become the browse master for the specified domain (not
231 necessary but usually desirable). You will need to change only two
232 parameters to make this file work, wins server and workgroup, plus you
233 will need to put your own name (not mine!) in the domain admin users
234 fields. Some of the parameters are discussed further down this
237 Assuming you have used the default install directories, this file
238 should appear as /usr/local/samba/lib/smb.conf. It should not be
239 writable by anyone except root.
241 Note: The 'add user script' parameter is a work-around, watch for
249 workgroup = { Your domain name here }
250 wins server = { ip of a wins server if you have one }
251 encrypt passwords = yes
253 logon script = scripts\%U.bat
254 domain admin users = root dbannon andrew
255 add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/n
256 ull -s /bin/false %m$
264 directory mask = 0700
268 path = /usr/local/samba/netlogon
272 _________________________________________________________________
274 PDC Config Parameters
276 There are a huge range of parameters that may appear in a smb.conf
277 file. Some that may be of interest to a PDC are :
280 This parameter specifies a script (or program) that will be run
281 to add a user to the system. Here it is being used to add a
282 machine, not a user. This is probably not very nice and may
283 change. But it does work !
285 For this example, I have a group called 'machines', entries can
286 be added to /etc/passwd using a programme called /usr/adduser
287 and the other parameters are chosen as suitable for a machine
288 account. Works for RH Linux, your system may require changes.
290 domain admin users = user1 users2
291 This parameter specifies a unix user who will be granted admin
292 privileges on a NT workstation when logged onto that
293 workstation. See the section called Domain Admin Accounts.
295 encrypt passwords = yes
296 This parameter must be 'yes' to allow any of the recent service
297 pack NTs to logon. There are some reg hacks that turn off
298 encrypted passwords on the NTws itself but if you are going to
299 use the smbpasswd system (and you should) you must use
302 logon script = scripts\%U.bat
303 This will make samba look for a logon script named after the
304 user (eg joeblow.bat). See the section further on called Logon
307 Note: Note that the slash is like this '\', not like this '/'. NT
308 is happy with both, win95 is not !
311 Lets you specify where you would like users profiles kept. The
312 default, that is in the users home directory, does encourage a
314 _________________________________________________________________
318 You need to create a couple of special files and directories. Its nice
319 to have some of the binaries handy too, so I create links to them.
320 Assuming you have used the default samba location and have not changed
321 the locations mentioned in the sample config file, do the following :
324 mkdir /usr/local/samba/netlogon
325 mkdir /usr/local/samba/netlogon/scripts
326 mkdir /usr/local/samba/private
327 touch /usr/local/samba/private/smbpasswd
328 chmod go-rwx /usr/local/samba/private/smbpasswd
330 ln -s /usr/local/samba/bin/smbpasswd
331 ln -s /usr/local/samba/bin/smbclient
332 ln -s /etc/rc.d/init.d/samba
334 Make sure permissions are appropriate !
336 OK, if you have used the scripts above and have a path to where the
337 links are do this to start up the Samba Server :
341 Instead, you might like to reboot the machine to make sure that you
342 got the init stuff right. Any way, a quick look in the logs
343 /usr/local/samba/var/log.smbd and /usr/local/samba/var/log/nmbd will
344 give you an idea of what's happening. Assuming all is well, lets
345 create some accounts...
346 _________________________________________________________________
348 Chapter 3. User and Machine Accounts
352 This section is very nearly out of date already ! It appears that
353 while you are reading it, Jean Francois Micou is making it redundant !
354 Jean Francois is adding facilities to add users (via User Manager) and
355 machines (when joining the domain) and it looks like these facilities
356 will make it into the official release of 2.2.
358 Every user and NTws (and other samba servers) that will be on the
359 domain must have its own passwd entry in both /etc/passwd and
360 /usr/local/samba/private/smbpasswd . The /etc/passwd entry is really
361 only to reserve a user ID. The NT encrypted password is stored in
362 /usr/local/samba/private/smbpasswd. (Note that win95/98 machines don't
363 need an account as they don't do any security aware things.)
365 Samba 2.2 will now create these entries for us. Carefull set up is
366 required and there may well be some changes to this system before its
368 _________________________________________________________________
372 Note: There is an entry in the ntdom FAQ explaining how to create
373 machine entries manually.
375 At present to have the machine accounts created when a machine joins
376 the domain a number of conditions must be met :
378 Only root can do it !
379 There must be an entry in /usr/local/samba/private/smbpasswd
380 for root and root must be mentioned in domain admins. This may
381 be fixed some time in the future so any 'domain admin' can do
382 it. If you don't like having root as a windows logon account,
383 make the machine entries manually (both of them).
385 Use the add user script
386 Again, this looks a bit like a 'work around'. Use a suitable
387 command line to add a machine account see above, and pass it
388 %m$, that is %m to get machine name plus the '$'. Now, this
389 means you cannot use the add user script to really add users
393 This automatic creation of machine accounts does not work for
394 NT4ws at present. Watch this space.
395 _________________________________________________________________
399 You must have either added the machine account entries manually (NT4
400 ws) or set up the automatic system (W2K), see Machine Accounts before
405 + (this step may not be necessary some time in the near
406 future). On the samba server that is the PDC, add a machine
407 account manually as per the instructions in the FAQ Then give
408 the command smbpasswd -a -m {machine} substituting in the
410 + Logon to the NTws in question as a local admin, go to the
411 Control Panel, Network IdentificationTag.
412 + Press the Change button.
413 + Enter the Domain name (from the 'Workgroup' parameter,
414 smb.conf) in the Domain Field.
415 + Press OK and after a few seconds you will get a 'Welcome to
416 Whatever Domain'. Allow to reboot.
420 + Logon to the W2k machine as Administrator, go to the Control
421 Panel and double click on Network and Dialup Connections.
422 + Pull down the Advanced menu and choose Network
423 Identification. Press Properties .
424 + Choose Domain and enter the domain name. Press 'OK'.
425 + Now enter a user name and password for a Domain Admin (Who
426 must be root until a pre-release bug is fixed) and press
428 + Wait for the confirmation, reboot when prompted.
430 To remove a W2K machine from the domain, follow the first two
431 steps then choose Workgroup, enter a work group name (or just
432 WORKGROUP) and follow the prompts.
433 _________________________________________________________________
437 Again, doing it manually (cos' the auto way is not working
438 pre-release). In our simple case every domain user should have an
439 account on the PDC. The account may have a null shell if they are not
440 allowed to log on to the unix prompt. Again they need an entry in both
441 the /etc/passwd and /usr/local/samba/private/smbpasswd. Again a
442 password is not necessary in /etc/passwd but the location of the home
443 directory is honoured. To make an entry for a user called Joe Blow you
444 would typically do the following :
446 adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow
450 And you will prompted to enter a password for Joe. Ideally he will be
451 hovering over your shoulder and will, when asked, type in a password
452 of his choice. There are a number of scripts and systems to ease the
453 migration of users from somewhere to samba. Better start looking !
454 _________________________________________________________________
456 Domain Admin Accounts
458 Certain operations demand that the logged on user has Administrator
459 privileges, typically installing software and doing maintenance tasks.
460 It is very simple to appoint some users as Domain Admins, most likely
461 yourself. Make sure you trust the appointee !
463 Samba 2.2 recognizes particular users as being domain admins and tells
464 the NTws when it thinks that it has got one logged on. In the smb.conf
465 file we declare that the Domain Admin users = user1 user2. Any user
466 mentioned here will be treated as a Domain Admin by a NTws when logged
467 onto the Domain. They will have full Administrator rights including
468 the rights to change permissions on files and run the system utilities
469 such as Disk Administrator.
471 Further, and this is very new, they will be allowed to create a new
472 machine account when first connecting a new NT or W2K machine to the
473 domain. At present, ie pre-release, only a Domain Admin who also
474 happens to be root can do so.
475 _________________________________________________________________
477 Chapter 4. Profiles, Policies and Logon Scripts
481 NT Profiles should work if you have followed the setup so far. A
482 user's profile contains a whole lot of their personal settings, the
483 contents of their desktop, personal 'My Documents' and so on. When
484 they log off, all of the profile is copied to their directory on the
485 server and is downloaded again when they logon on again, possibly on
486 another client machine.
488 Sounds great but can be a bit of a bug bear sometimes. Users let their
489 profiles get too big and then complain about how long it takes to log
490 on each time. This sample setup only supports NT profiles, rumor has
491 it that it is also possible to do the same on Win95, my users don't
492 know and I'm not telling them.
494 Note: There is more info about Profiles (including for W95/98) in
496 _________________________________________________________________
500 Policies are an easy way to make or enforce specific characteristics
501 across your network. You create a ntconfig.pol file and every time
502 someone logs on with their NTws, the settings you put in ntconfig.pol
503 are applied to the NTws. Typical setting are things like making the
504 date appear the way you want it (none of these 2 figure years here) or
505 maybe suppressing one of the splash screens. Perhaps you want to set
506 the NTws so it does not keep users profiles on the local machine.
507 Cool. The only problem is making the ntconfig.pol file itself. You
508 cannot use the policy editor that comes with NTws.
510 Note: See the FAQ for pointers on how to get a suitable Policy
513 The Policy Editor (and associated files) will create a ntconfig.pol
514 file using the parameters Microsoft thought of and parameters you
515 specify by making your own template file.
517 In our example configuration here, Samba will expect to find the
518 ntconfig.pol file in /usr/local/samba/netlogon. Needless to say (I
519 hope !), it is vitally important that ordinary users don't have write
520 permission to the Policy files.
521 _________________________________________________________________
525 In the sample config file above there is a line logon script =
528 Note: Note that the slash is like this '\' not like this '/'. NT is
529 happy with both, win95 is not !
531 This allows you to run a dos batch file every time someone logs on.
532 The batch file is located on the server, in the sample install
533 mentioned here, its in /usr/local/samba/netlogon/scripts and is named
534 after the user with .bat appended, eg Joe Blow's script is called
535 /usr/local/samba/netlogon/scripts/joeblow.bat.
537 Note: There is a suggestion that user names longer than 8
538 characters may cause problems with some systems being unable to run
539 logon scripts. This is confirmed in earlier versions when
540 connecting using W95, comments about other combinations ??
542 You could use a line like this logon script = default.bat and samba
543 will supply /usr/local/samba/netlogon/default.bat for any client and
544 every user. Maybe you could use %m and get a client machine dependant
545 logon script. You get the idea...
547 Note that the file is a dos batch file not a Unix script. It runs dos
548 commands on the client computer with the logon user's permissions. It
549 must be a dos file with each line ending with the dos cr/lf not a nice
550 clean newline. Generally, its best to create the initial file on a DOS
551 system and copy it across.
553 There is lots of very clever uses of the Samba replaceable variables
554 such ( %U = user, %G = primary group, %H = client machine, see the
555 'man 5 smb.conf') to give you control over which script runs when a
556 particular person logs on. (Gee, it would be nice to have a
557 default.bat run when nothing else is available.)
559 Again, it is vitally important that ordinary users don't have write
560 permission to other peoples, or even probably their own, logon script
563 A typical logon script is reproduced below. Note that it runs separate
564 commands for win95 and NT, that's because NT has slightly different
565 behaviour when using the net use .. command. Its useful for lots of
566 other situations too. I don't know what syntax to use for win98, I
570 rem Default logon script, create links to this file.
572 net time \\bioserve /set /yes
574 if %OS%.==Windows_NT. goto WinNT
577 net use k: \\trillion\bio_prog
578 net use p: \\bcfile\homes
581 net use k: \\trillion\bio_prog /persistent:no
582 net use p: \\bcfile\homes /persistent:no
585 _________________________________________________________________
587 Chapter 5. Passwords and Authentication
589 So far our configuration assumes that ordinary users don't have unix
590 logon access. A change to the adduser line above would allow unix
591 logon but it would be with passwords that may be different from the NT
592 logon. Clearly that won't suit everyone. Trying to explain to users
593 that they need to change their passwords in two seperate places is not
594 fun. Further, even if they cannot do a unix logon there are other
595 processes that might require authentication. We have a nice securely
596 encrypted password in /usr/local/samba/private/smbpasswd, why not use
598 _________________________________________________________________
602 Yes, its possible and seems the easiest way (initially anyway). The
603 FAQ details how to do so in the sections What is password sync and
604 should I use it ? and How do I get remote password (unix and SMB)
606 _________________________________________________________________
610 Pam enabled systems have a much better solution available. The Samba
611 PDC server will offer to authenticate domain users to other processes
612 (either on this server or on the domain). With a suitable pam stack
613 such as Pam_smb you can get any pam aware application looking to the
614 samba password and can leave the password field in /etc/shadow or
616 _________________________________________________________________
618 Authenticating other Samba Servers
620 In a domain that has a number of servers you only need one password
621 database. The machines that don't have their own ask the PDC to check
622 for them. This will work fine for a domain controlled by either a
625 To do so the Samba machine must be told to refer to the PDC and where
626 the PDC is. See the section in the NTDom FAQ called How do I get my
627 samba server to become a member ( not PDC ) of an NT domain?
628 _________________________________________________________________
630 Chapter 6. Background
634 It might help you understand the limitations of the PDC in Samba if
635 you read something of its history. Well, the history as I understand
638 For many years the Samba team have been developing Samba, some time
639 ago a number of people, possibly lead by Luke Leighton started
640 contributing NT PDC stuff. This was added to the 'head' stream (that
641 would eventually become the next version) and later to a seperate
642 stream (NTDom). They did so much that eventually this development
643 stream was so mutated that it could not be merged back into the main
644 stream and was abandoned towards the end of 1999. And that was very
645 sad because many users, myself include had become heavily dependant on
646 the NTController facilities it offered. Oh well...
648 The NTDom team continued on with their new found knowledge however and
649 built the TNG stream. Intended to be carefully controlled so that it
650 can be merged back into the main stream and benefiting from what they
651 learnt, it is a very different product to the origional NTDom product.
652 However, for a number of reasons, the merge did not take place and now
653 TNG is being developed at http://www.samba-tng.org.
655 Now, the NTDom things that the main strean 2.0.x version does is based
656 more on the old (initial version) abandoned code than on the TNG
657 ideas. It appears that version 2.2.0 will also include an improved
658 version of the 2.0.7 domain controller charactistics, not the TNG
659 ways. The developers have indicated that 2.2.0 will be further
660 developed incrementally and the ideas from TNG incorporated into it.
662 One more little wriggle is worth mentioning. At one stage the NTDom
663 stream was called Samba 2.1.0-prealpha and similar names. This is most
664 unfortunate because at least one book published advises people who
665 want to use NTDom Samba to get version 2.1.0 or later. As main stream
666 Samba will soon be called 2.2.0 and NOT officially supporting NTDom
667 Controlling functions, the potential for confusion is certainly there.
668 _________________________________________________________________
672 There is a document on the Samba mirrors called 'Development' . It
673 offers the 'best guess' of what is planned for future releases of
676 The future of Samba as a Primary Domain Controller appears rosie,
677 however be aware that its the future, not the present. The developers
678 are strongly committed to building a full featured PDC into Samba but
679 it will take time. If this version does not meet your requirements
680 then you should consider (in no particular order) :
682 * Wait. No, we don't know how long. Repeated asking won't help.
683 * Investigate the development versions, TNG perhaps or HEAD where
684 new code is being added all the time. Realise that development
685 code is often unstable, poorly documented and subject to change.
686 You will need to use cvs to download development versions.
687 * Join one of the Samba mailing lists so that you can find out what
688 is happening on the 'bleeding edge'.
689 _________________________________________________________________
693 This document cannot possibly answer all your questions. Please
694 understand that its very likely that someone has been confrounted by
695 the same problem that you have. The FAQ discusses a number of possible
696 paths to take to get further help :
698 * Documents on the Samba Sites.
702 There is some discussion about guide lines for using the Mailing Lists
703 on the accompanying FAQ, please read them before posting.