blob: 6476cafce4e4a4f1d22ea2c6d6c73f0646d7090a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
|
<HTML
><HEAD
><TITLE
>How to Configure Samba 2.2.x as a Primary Domain Controller</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
><BODY
CLASS="ARTICLE"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
>How to Configure Samba 2.2.x as a Primary Domain Controller</A
></H1
><HR></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3"
>Background</A
></H1
><P
>Version of Samba prior to release 2.2 had marginal capabilities to
act as a Windows NT 4.0 Primary Domain Controller (PDC). Please
note that Windows 9x clients are not true members of a domain
for reasons outlined in this article. Therefore the protocol for
support Windows 9x style domain logons is completely different
from NT4 domain logons and has been officially supported for some
time.</P
><P
>Beginning with Samba 2.2.0, we are proud to announce official
support for Windows NT 4.0 style domain logons from Windows NT
4.0 and Windows 2000 (including SP1) clients. This article
outlines the steps necessary for configuring Samba as a PDC.
Note that it is necessary to have a working Samba server
prior to implementing the PDC functionality. If you have not
followed the steps outlined in <A
HREF="UNIX_INSTALL.html"
TARGET="_top"
>UNIX_INSTALL.html</A
>, please make sure that your server
is configured correctly before proceeding. Another good
resource in the <A
HREF="smb.conf.5.html"
TARGET="_top"
>smb.conf(5) man
page</A
>.</P
><P
>Implementing a Samba PDC can basically be divided into 2 broad
steps.</P
><P
></P
><OL
TYPE="1"
><LI
><P
>Configuring the Samba Domain Controller
</P
></LI
><LI
><P
>Creating machine trust accounts
and joining clients to the domain</P
></LI
></OL
><P
>There are other minor details such as user profiles, system
policies, etc... However, these are not necessarily specific
to a Samba PDC as much as they are related to Windows NT networking
concepts. They will be mentioned only briefly here.</P
><P
>On a closing note, many people have asked regarding the status
of Samba, Kerberos, and Active Directory. Samba <I
CLASS="EMPHASIS"
>does
not</I
> implement a true Windows 2000 domain controller.
There are actually three pieces to this puzzle.</P
><P
></P
><UL
><LI
><P
>Kerberos</P
></LI
><LI
><P
>Samba</P
></LI
><LI
><P
>LDAP</P
></LI
></UL
><P
>We are working on exploring possibilities related to this, but
much work needs to be done.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN26"
>Configuring the Samba Domain Controller</A
></H1
><P
>The first step in creating a working Samba PDC is to
understand the parameters necesary in smb.conf. I will not
attempt to re-explain the parameters here as they are more that
adequately covered in <A
HREF="smb.conf.5.html"
TARGET="_top"
> the smb.conf
man page</A
>. For convienience, the parameters have been
linked with the actual smb.conf description.</P
><P
>Here is an example smb.conf for acting as a PDC:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>[global]
; Basic server settings
<A
HREF="smb.conf.5.html#NETBIOSNAME"
TARGET="_top"
>netbios name</A
> = <TT
CLASS="REPLACEABLE"
><I
>POGO</I
></TT
>
workgroup = <TT
CLASS="REPLACEABLE"
><I
>NARNIA</I
></TT
>
; we should act as the domain and local master browser
os level = 64
preferred master = yes
domain master = yes
local master = yes
; security settings (must user security = user)
security = user
; encrypted passwords are a requirement for a PDC
encrypt passwords = yes
; support domain logons
domain logons = yes
; where to store user profiles?
logon path = \\%N\profiles\%u
; where is a user's home directory and where should it
; be mounted at?
logon drive = H:
logon home = \\homeserver\%u
; specify a generic logon script for all users
; this is a relative path to the [netlogon] share
logon script = logon.cmd
; necessary share for domain controller
[netlogon]
path = /usr/local/samba/lib/netlogon
writeable = no
write list = ntadmin
; share for storing user profiles
[profiles]
path = /export/smb/ntprofile
writeable = yes
create mask = 0600
directory mask = 0700</PRE
></P
><P
>There are a couple of points to emphasize in the above
configuration.</P
><P
></P
><UL
><LI
><P
>encrypted passwords must be enabled.
For more details on how to do this, refer to
<A
HREF="ENCRYPTION.html"
TARGET="_top"
>ENCRYPTION.html</A
>.
</P
></LI
><LI
><P
>The server must support domain logons
and a [netlogon] share</P
></LI
><LI
><P
>The server must be the domain master browser
in order for Windows client to locate the server as a DC.</P
></LI
></UL
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN45"
>Creating Machine Trust Accounts and Joining Clients
to the Domain</A
></H1
><P
></P
></DIV
></DIV
></BODY
></HTML
>
|
