2 The Samba 2.2 PDC HowTo
7 _________________________________________________________________
8 _________________________________________________________________
10 Comments, corrections and additions to <dbannon@samba.org>
12 This document explains how to setup Samba as a Primary Domain
13 Controller and applies to version 2.2.0. Before using these functions
14 make sure you understand what the controller can and cannot do. Please
15 read the sections below in the Introduction. As 2.2.0 is incrementally
16 updated this document will change or become out of date very quickly,
17 make sure you are reading the most current version.
19 Please note this document does not apply to Samba2.2alpha0,
20 Samba2.2alpha1, Samba 2.0.7, TNG nor HEAD branch.
22 It does apply to the current (post November 27th) cvs.
24 Also available is an updated version of Jerry Carter's NTDom FAQ that
25 will answer lots of the special 'tuning' questions that are not
26 covered here. Over the next couple of weeks some of the items here
27 will be moved to the FAQ.
45 3. User and Machine Accounts
53 4. Profiles, Policies and Logon Scripts
59 5. Passwords and Authentication
63 Authenticating other Samba Servers
70 _________________________________________________________________
72 Chapter 1. Introduction
74 This document will show you one way of making Version 2.2.0 of Samba
75 perform some of the tasks of a NT Primary Domain Controller. The
76 facilities described are built into Samba as a result of development
77 work done over a number of years by a large number of people. These
78 facilities are only just beginning to be officially supported and
79 although they do appear to work reliably, if you use them then you
80 take the risks upon your self. This document does not cover the
81 developmental versions of Samba, particularly Samba-TNG
83 Note that Samba 2.0.7 supports significently less of the NT Domain
84 facilities compared with 2.2.0
86 This document does not replace the text files DOMAIN_CONTROL.txt,
87 DOMAIN.txt (by John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth
88 Casson Leighton). Those documents provide more detail and an insight
89 to the development cycle and should be considered 'further reading'.
90 _________________________________________________________________
94 * Permit 'domain logons' for Win95/98, NT4 and W2K workstations from
95 one central password database. WRT W2K, please see the section
96 about adding machine accounts and the Intro in the FAQ.
97 * Grant Administrator privileges to particular domain users on an NT
99 * Apply policies from a domain policy file to NT and W2K (?)
101 * Run the appropriate logon script when a user logs on to the domain
103 * Maintain a user's local profile on the server.
104 * Validate a user using another system via smb (such as smb_pam) and
106 _________________________________________________________________
110 * Become or work with a Backup Domain Controller (a BDC).
111 * Participate in any sort of trust relationship (with either Samba
113 * Offer a list of domain users to User Manager for Domains on the
115 * Be a W2K type of Domain Controller. Samba PDC will behave like an
116 NT PDC, W2K workstations connect in legacy mode.
117 _________________________________________________________________
119 Chapter 2. Installing
121 Installing consists of the usual download, configure, make and make
122 install process. These steps are well documented elsewhere. The FAQ
123 discusses getting pre-release versions via CVS. Then you need to
124 configure the server.
125 _________________________________________________________________
129 Skip this section if you have a working Samba already. Everyone has
130 their own favourite startup script. Here is mine, offered with no
135 # Script to control Samba server, David Bannon, 14-6-96
138 PATH=/bin:/usr/sbin:/usr/bin
142 if [ -f /usr/local/samba/bin/smbd ]
144 /usr/local/samba/bin/smbd -D
145 /usr/local/samba/bin/nmbd -D
146 echo "Starting Samba Server"
150 if [ -f /usr/local/samba/lib/smb.conf ]
152 vi /usr/local/samba/lib/smb.conf
156 if [ -f /usr/local/samba/private/smbpasswd ]
158 vi /usr/local/samba/private/smbpasswd
162 /usr/local/samba/bin/smbstatus -b
165 psline=`/bin/ps x | grep smbd | grep -v grep`
167 if [ "$psline" != "" ]
169 while [ "$psline" != "" ]
171 psline=`/bin/ps x | fgrep smbd | grep -v grep`
177 echo "Stopped $pid line = $psline"
182 echo "Stopped Samba servers"
185 psline=`/bin/ps x | grep smbd | grep -v grep`
187 if [ "$psline" != "" ]
189 while [ "$psline" != "" ]
191 psline=`/bin/ps x | fgrep smbd | grep -v grep`
197 echo "Stopped $pid line = $psline"
202 echo "Stopped Samba servers"
203 psline=`/bin/ps x | grep nmbd | grep -v grep`
209 echo "Stopped Name Server "
211 echo "Stopped Name Servers"
214 echo "usage: samba {start | restart |stop | conf | pw | who}"
219 Use this script, or some other one, you will need to ensure its used
220 while the machine is booting. (This typically involves /etc/rc.d,
221 we'll be assuming that there is a script called samba in
222 /etc/rc.d/init.d further down in this document.)
223 _________________________________________________________________
229 Here is a fairly minimal config file to do PDC. It will also make the
230 server become the browse master for the specified domain (not
231 necessary but usually desirable). You will need to change only two
232 parameters to make this file work, wins server and workgroup, plus you
233 will need to put your own name (not mine!) in the domain admin users
234 fields. Some of the parameters are discussed further down this
237 Assuming you have used the default install directories, this file
238 should appear as /usr/local/samba/lib/smb.conf. It should not be
239 writable by anyone except root.
241 Note: The 'add user script' parameter is a work-around, watch for
249 workgroup = { Your domain name here }
250 wins server = { ip of a wins server if you have one }
251 encrypt passwords = yes
253 logon script = scripts\%U.bat
254 domain admin group = @adm
255 add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/n
256 ull -s /bin/false %m$
264 directory mask = 0700
268 path = /usr/local/samba/netlogon
272 _________________________________________________________________
274 PDC Config Parameters
276 There are a huge range of parameters that may appear in a smb.conf
277 file. Some that may be of interest to a PDC are :
280 This parameter specifies a script (or program) that will be run
281 to add a user to the system. Here it is being used to add a
282 machine, not a user. This is probably not very nice and may
283 change. But it does work !
285 For this example, I have a group called 'machines', entries can
286 be added to /etc/passwd using a programme called /usr/adduser
287 and the other parameters are chosen as suitable for a machine
288 account. Works for RH Linux, your system may require changes.
290 domain admin group = @adm
291 This parameter specifies a unix group whose members will be
292 granted admin privileges on a NT workstation when logged onto
293 that workstation. See the section called Domain Admin Accounts.
295 domain admin users = user1 users2
296 It appears that this parameter does not funtion correctly at
297 present. Use the 'domain admin group' instread. This parameter
298 specifies a unix user who will be granted admin privileges on a
299 NT workstation when logged onto that workstation. See the
300 section called Domain Admin Accounts.
302 encrypt passwords = yes
303 This parameter must be 'yes' to allow any of the recent service
304 pack NTs to logon. There are some reg hacks that turn off
305 encrypted passwords on the NTws itself but if you are going to
306 use the smbpasswd system (and you should) you must use
309 logon script = scripts\%U.bat
310 This will make samba look for a logon script named after the
311 user (eg joeblow.bat). See the section further on called Logon
314 Note: Note that the slash is like this '\', not like this '/'. NT
315 is happy with both, win95 is not !
318 Lets you specify where you would like users profiles kept. The
319 default, that is in the users home directory, does encourage a
321 _________________________________________________________________
325 You need to create a couple of special files and directories. Its nice
326 to have some of the binaries handy too, so I create links to them.
327 Assuming you have used the default samba location and have not changed
328 the locations mentioned in the sample config file, do the following :
331 mkdir /usr/local/samba/netlogon
332 mkdir /usr/local/samba/netlogon/scripts
333 mkdir /usr/local/samba/private
334 touch /usr/local/samba/private/smbpasswd
335 chmod go-rwx /usr/local/samba/private/smbpasswd
337 ln -s /usr/local/samba/bin/smbpasswd
338 ln -s /usr/local/samba/bin/smbclient
339 ln -s /etc/rc.d/init.d/samba
341 Make sure permissions are appropriate !
343 OK, if you have used the scripts above and have a path to where the
344 links are do this to start up the Samba Server :
348 Instead, you might like to reboot the machine to make sure that you
349 got the init stuff right. Any way, a quick look in the logs
350 /usr/local/samba/var/log.smbd and /usr/local/samba/var/log/nmbd will
351 give you an idea of what's happening. Assuming all is well, lets
352 create some accounts...
353 _________________________________________________________________
355 Chapter 3. User and Machine Accounts
359 This section is very nearly out of date already ! It appears that
360 while you are reading it, Jean Francois Micou is making it redundant !
361 Jean Francois is adding facilities to add users (via User Manager) and
362 machines (when joining the domain) and it looks like these facilities
363 will make it into the official release of 2.2.
365 Every user and NTws (and other samba servers) that will be on the
366 domain must have its own passwd entry in both /etc/passwd and
367 /usr/local/samba/private/smbpasswd . The /etc/passwd entry is really
368 only to reserve a user ID. The NT encrypted password is stored in
369 /usr/local/samba/private/smbpasswd. (Note that win95/98 machines don't
370 need an account as they don't do any security aware things.)
372 Samba 2.2 will now create these entries for us. Carefull set up is
373 required and there may well be some changes to this system before its
375 _________________________________________________________________
379 Note: There is an entry in the ntdom FAQ explaining how to create
380 machine entries manually.
382 At present to have the machine accounts created when a machine joins
383 the domain a number of conditions must be met :
385 Only root can do it !
386 There must be an entry in /usr/local/samba/private/smbpasswd
387 for root and root must be mentioned in domain admins. This may
388 be fixed some time in the future so any 'domain admin' can do
389 it. If you don't like having root as a windows logon account,
390 make the machine entries manually (both of them).
392 Use the add user script
393 Again, this looks a bit like a 'work around'. Use a suitable
394 command line to add a machine account see above, and pass it
395 %m$, that is %m to get machine name plus the '$'. Now, this
396 means you cannot use the add user script to really add users
400 This automatic creation of machine accounts does not work for
401 NT4ws at present. Watch this space.
402 _________________________________________________________________
406 You must have either added the machine account entries manually (NT4
407 ws) or set up the automatic system (W2K), see Machine Accounts before
412 + (this step may not be necessary some time in the near
413 future). On the samba server that is the PDC, add a machine
414 account manually as per the instructions in the FAQ Then give
415 the command smbpasswd -a -m {machine} substituting in the
417 + Logon to the NTws in question as a local admin, go to the
418 Control Panel, Network IdentificationTag.
419 + Press the Change button.
420 + Enter the Domain name (from the 'Workgroup' parameter,
421 smb.conf) in the Domain Field.
422 + Press OK and after a few seconds you will get a 'Welcome to
423 Whatever Domain'. Allow to reboot.
427 + Logon to the W2k machine as Administrator, go to the Control
428 Panel and double click on Network and Dialup Connections.
429 + Pull down the Advanced menu and choose Network
430 Identification. Press Properties .
431 + Choose Domain and enter the domain name. Press 'OK'.
432 + Now enter a user name and password for a Domain Admin (Who
433 must be root until a pre-release bug is fixed) and press
435 + Wait for the confirmation, reboot when prompted.
437 To remove a W2K machine from the domain, follow the first two
438 steps then choose Workgroup, enter a work group name (or just
439 WORKGROUP) and follow the prompts.
440 _________________________________________________________________
444 Again, doing it manually (cos' the auto way is not working
445 pre-release). In our simple case every domain user should have an
446 account on the PDC. The account may have a null shell if they are not
447 allowed to log on to the unix prompt. Again they need an entry in both
448 the /etc/passwd and /usr/local/samba/private/smbpasswd. Again a
449 password is not necessary in /etc/passwd but the location of the home
450 directory is honoured. To make an entry for a user called Joe Blow you
451 would typically do the following :
453 adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow
457 And you will prompted to enter a password for Joe. Ideally he will be
458 hovering over your shoulder and will, when asked, type in a password
459 of his choice. There are a number of scripts and systems to ease the
460 migration of users from somewhere to samba. Better start looking !
461 _________________________________________________________________
463 Domain Admin Accounts
465 Certain operations demand that the logged on user has Administrator
466 privileges, typically installing software and doing maintenance tasks.
467 It is very simple to appoint some users as Domain Admins, most likely
468 yourself. Make sure you trust the appointee !
470 Samba 2.2 recognizes particular users as being domain admins and tells
471 the NTws when it thinks that it has got one logged on. In the smb.conf
472 file we declare that the Domain Admin group = @adm. Any user who is a
473 menber of the unix group 'adm' is treated as a Domain Admin by a NTws
474 when logged onto the Domain. They will have full Administrator rights
475 including the rights to change permissions on files and run the system
476 utilities such as Disk Administrator. Add users to the group by
477 editing /etc/group/. You do not need to use the 'adm' group, choose
480 Further, and this is very new, they will be allowed to create a new
481 machine account when first connecting a new NT or W2K machine to the
482 domain. However, at present, ie pre-release, only a Domain Admin who
483 also happens to be root can do so.
484 _________________________________________________________________
486 Chapter 4. Profiles, Policies and Logon Scripts
490 NT Profiles should work if you have followed the setup so far. A
491 user's profile contains a whole lot of their personal settings, the
492 contents of their desktop, personal 'My Documents' and so on. When
493 they log off, all of the profile is copied to their directory on the
494 server and is downloaded again when they logon on again, possibly on
495 another client machine.
497 Sounds great but can be a bit of a bug bear sometimes. Users let their
498 profiles get too big and then complain about how long it takes to log
499 on each time. This sample setup only supports NT profiles, rumor has
500 it that it is also possible to do the same on Win95, my users don't
501 know and I'm not telling them.
503 Note: There is more info about Profiles (including for W95/98) in
505 _________________________________________________________________
509 Policies are an easy way to make or enforce specific characteristics
510 across your network. You create a ntconfig.pol file and every time
511 someone logs on with their NTws, the settings you put in ntconfig.pol
512 are applied to the NTws. Typical setting are things like making the
513 date appear the way you want it (none of these 2 figure years here) or
514 maybe suppressing one of the splash screens. Perhaps you want to set
515 the NTws so it does not keep users profiles on the local machine.
516 Cool. The only problem is making the ntconfig.pol file itself. You
517 cannot use the policy editor that comes with NTws.
519 Note: See the FAQ for pointers on how to get a suitable Policy
522 The Policy Editor (and associated files) will create a ntconfig.pol
523 file using the parameters Microsoft thought of and parameters you
524 specify by making your own template file.
526 In our example configuration here, Samba will expect to find the
527 ntconfig.pol file in /usr/local/samba/netlogon. Needless to say (I
528 hope !), it is vitally important that ordinary users don't have write
529 permission to the Policy files.
530 _________________________________________________________________
534 In the sample config file above there is a line logon script =
537 Note: Note that the slash is like this '\' not like this '/'. NT is
538 happy with both, win95 is not !
540 This allows you to run a dos batch file every time someone logs on.
541 The batch file is located on the server, in the sample install
542 mentioned here, its in /usr/local/samba/netlogon/scripts and is named
543 after the user with .bat appended, eg Joe Blow's script is called
544 /usr/local/samba/netlogon/scripts/joeblow.bat.
546 Note: There is a suggestion that user names longer than 8
547 characters may cause problems with some systems being unable to run
548 logon scripts. This is confirmed in earlier versions when
549 connecting using W95, comments about other combinations ??
551 You could use a line like this logon script = default.bat and samba
552 will supply /usr/local/samba/netlogon/default.bat for any client and
553 every user. Maybe you could use %m and get a client machine dependant
554 logon script. You get the idea...
556 Note that the file is a dos batch file not a Unix script. It runs dos
557 commands on the client computer with the logon user's permissions. It
558 must be a dos file with each line ending with the dos cr/lf not a nice
559 clean newline. Generally, its best to create the initial file on a DOS
560 system and copy it across.
562 There is lots of very clever uses of the Samba replaceable variables
563 such ( %U = user, %G = primary group, %H = client machine, see the
564 'man 5 smb.conf') to give you control over which script runs when a
565 particular person logs on. (Gee, it would be nice to have a
566 default.bat run when nothing else is available.)
568 Again, it is vitally important that ordinary users don't have write
569 permission to other peoples, or even probably their own, logon script
572 A typical logon script is reproduced below. Note that it runs separate
573 commands for win95 and NT, that's because NT has slightly different
574 behaviour when using the net use .. command. Its useful for lots of
575 other situations too. I don't know what syntax to use for win98, I
579 rem Default logon script, create links to this file.
581 net time \\bioserve /set /yes
583 if %OS%.==Windows_NT. goto WinNT
586 net use k: \\trillion\bio_prog
587 net use p: \\bcfile\homes
590 net use k: \\trillion\bio_prog /persistent:no
591 net use p: \\bcfile\homes /persistent:no
594 _________________________________________________________________
596 Chapter 5. Passwords and Authentication
598 So far our configuration assumes that ordinary users don't have unix
599 logon access. A change to the adduser line above would allow unix
600 logon but it would be with passwords that may be different from the NT
601 logon. Clearly that won't suit everyone. Trying to explain to users
602 that they need to change their passwords in two seperate places is not
603 fun. Further, even if they cannot do a unix logon there are other
604 processes that might require authentication. We have a nice securely
605 encrypted password in /usr/local/samba/private/smbpasswd, why not use
607 _________________________________________________________________
611 Yes, its possible and seems the easiest way (initially anyway). The
612 FAQ details how to do so in the sections What is password sync and
613 should I use it ? and How do I get remote password (unix and SMB)
615 _________________________________________________________________
619 Pam enabled systems have a much better solution available. The Samba
620 PDC server will offer to authenticate domain users to other processes
621 (either on this server or on the domain). With a suitable pam stack
622 such as Pam_smb you can get any pam aware application looking to the
623 samba password and can leave the password field in /etc/shadow or
625 _________________________________________________________________
627 Authenticating other Samba Servers
629 In a domain that has a number of servers you only need one password
630 database. The machines that don't have their own ask the PDC to check
631 for them. This will work fine for a domain controlled by either a
634 To do so the Samba machine must be told to refer to the PDC and where
635 the PDC is. See the section in the NTDom FAQ called How do I get my
636 samba server to become a member ( not PDC ) of an NT domain?
637 _________________________________________________________________
639 Chapter 6. Background
643 It might help you understand the limitations of the PDC in Samba if
644 you read something of its history. Well, the history as I understand
647 For many years the Samba team have been developing Samba, some time
648 ago a number of people, possibly lead by Luke Leighton started
649 contributing NT PDC stuff. This was added to the 'head' stream (that
650 would eventually become the next version) and later to a seperate
651 stream (NTDom). They did so much that eventually this development
652 stream was so mutated that it could not be merged back into the main
653 stream and was abandoned towards the end of 1999. And that was very
654 sad because many users, myself include had become heavily dependant on
655 the NTController facilities it offered. Oh well...
657 The NTDom team continued on with their new found knowledge however and
658 built the TNG stream. Intended to be carefully controlled so that it
659 can be merged back into the main stream and benefiting from what they
660 learnt, it is a very different product to the origional NTDom product.
661 However, for a number of reasons, the merge did not take place and now
662 TNG is being developed at http://www.samba-tng.org.
664 Now, the NTDom things that the main strean 2.0.x version does is based
665 more on the old (initial version) abandoned code than on the TNG
666 ideas. It appears that version 2.2.0 will also include an improved
667 version of the 2.0.7 domain controller charactistics, not the TNG
668 ways. The developers have indicated that 2.2.0 will be further
669 developed incrementally and the ideas from TNG incorporated into it.
671 One more little wriggle is worth mentioning. At one stage the NTDom
672 stream was called Samba 2.1.0-prealpha and similar names. This is most
673 unfortunate because at least one book published advises people who
674 want to use NTDom Samba to get version 2.1.0 or later. As main stream
675 Samba will soon be called 2.2.0 and NOT officially supporting NTDom
676 Controlling functions, the potential for confusion is certainly there.
677 _________________________________________________________________
681 There is a document on the Samba mirrors called 'Development' . It
682 offers the 'best guess' of what is planned for future releases of
685 The future of Samba as a Primary Domain Controller appears rosie,
686 however be aware that its the future, not the present. The developers
687 are strongly committed to building a full featured PDC into Samba but
688 it will take time. If this version does not meet your requirements
689 then you should consider (in no particular order) :
691 * Wait. No, we don't know how long. Repeated asking won't help.
692 * Investigate the development versions, TNG perhaps or HEAD where
693 new code is being added all the time. Realise that development
694 code is often unstable, poorly documented and subject to change.
695 You will need to use cvs to download development versions.
696 * Join one of the Samba mailing lists so that you can find out what
697 is happening on the 'bleeding edge'.
698 _________________________________________________________________
702 This document cannot possibly answer all your questions. Please
703 understand that its very likely that someone has been confrounted by
704 the same problem that you have. The FAQ discusses a number of possible
705 paths to take to get further help :
707 * Documents on the Samba Sites.
711 There is some discussion about guide lines for using the Mailing Lists
712 on the accompanying FAQ, please read them before posting.