Using Samba as an NT PDC


With the latest release of Samba 2.0, your Unix machine can now act as a NT Primary Domain Controller. What this means is that NT clients can use a UNIX server to handle authentication and roaming profiles. This eliminates the need to use an NT Server for this function, and allows you to centralize account management for multiple NT clients. It's relatively painless to set up, following is the basic procedure.

Get Samba 2.0 or latest version

To use Samba as an NT PDC, you must have version 2.0 or later. Earlier versions will not work. Get the latest release from www.samba.org. Compile it following the provided instructions, it compiled without problems for me.

Make smb.conf file

Samba does not create a smb.conf file for you, you must create it and put it in your samba lib directory. There are many many many options that can go in the smb.conf file, check the samba docs for a rundown. The following is a minimal smb.conf file for using Samba as an NT PDC and shared file server, giving access to users home directories. You may in addition wish to set up printer configurations and public volumes.


[global]
workgroup = RTL # change to your workgroup name
server string = Crosu Remote Teaching Lab # a description of the workgroup
guest account = nobody
os level = 2
log level = 2
security = user
encrypt passwords = yes # needed for NT4.0 with SP3 or later
domain master = yes
domain logons = yes
prefered master = yes
logon home = \\%N\%U
logon path = \\%N\%U\profiles
logon script = %U.bat
wins support = yes
hosts allow = host1 host2 # restrict access to machines or networks
admin users = ccunning # list of users who have admin privilages on the shares
unix password sync = yes #optional, this and the next options change unix passwords when the user changes their samba password from the client
passwd program = /usr/bin/passwd %u #only needed for the above
passwd chat = *password* %n\n *password* %n\n *successfull*

[Profiles]
comment = Windows-User-Profiles
path = /home/%U/profiles # stores NT roaming profiles in users home directory
browseable = no
guest ok = yes
writeable = yes

[homes]
comment = Home Directories
browseable = no
read only = no
create mode = 0755
guest ok = no

All of the above options are documented in various samba docs. This is a good config to start with, you can add options later. Don't forget the profiles, it let's users store their backgrounds, icons, etc. Save this file in your samba lib directory, and you're on the way! At this point, you'll also need to create two directories, a locks directory in the samba var directory ( /opt/samba/var/locks for me ), and a private directory in the top level samba directory ( /opt/samba/private for me ).

Add machine accounts

Now you need to add a few accounts to your computer. In your /etc/passwd (and /etc/shadow if you use shadow passwords) create a user account for each Windows client that will be connecting to your samba server. Each username must be followed by a $, the shell, home directory, password, and all that don't matter, you just need the machine name and the UID. For example, my /etc/passwd contains:


machine_1$:x:56:230:Welk:/dev/null:/
machine_2$:x:57:230:Hendrix:/dev/null:/

and my /etc/shadow:


machine_1$:NP:6445::::::
machine_2$:NP:6445::::::

Now you'll need to create samba accounts for these machines. Go to your samba bin directory and run

smbpasswd -a -m machine_1

for each machine. DO NOT put the $ at the end, the program will do that for you. Do this for each Windows client that will connect to your machine. At this point as well, it would be a good idea to test out your setup. Run the program testparm in the samba bin directory. It should give no errors, and list the shares available.

Add user accounts

Now it's time to add user accounts. Each person you want to be able to log into the Windows clients must have a valid entry in your /etc/passwd file and in the samba password file. To add users samba users, use the smbpasswd command again:

smbpasswd -a username

You will be prompted to enter a password. Theoretically, there is a program available to convert your /etc/passwd file to a samba password file (update: it's called mksmbpasswd.sh in the samba source/script dir, but it does not create passwords, just populates the file with names), but I have yet to find it... I also haven't figured out yet if users can change their samba password from the Windows clients - I don't know much about NT (update: as of samba 2.0.4, users can now change their password from the NT clients). Also, the samba password is used to log into the NT machines, and it does not have to match the users unix password. However, the username MUST be the same.

Set up the clients

On the NT Clients, right click on the Network Neighborhood icon and choose properties. Change the workgroup to the workgroup name you assigned samba, spelling counts! Now reboot the machine (of course). After rebooting, your samba workgroup should now appear in the drop down menu. Choose it and log in. If all goes well, there should be a Z drive in My Computer which lists the contents of the users home directories. Make sure you warn users to not touch the profiles folder that has been created in their unix accounts. The profile folder will automatically be created by Samba. You may wish to place it somewhere where users can't accidentally delete anything, by defining an alternate location in the smb.conf file.

All done!

You'll probably want to read some of the FAQ's and man pages about mapping unix groups to NT groups...

Questions, Comments, Problems, Tips? E-mail ccunning@math.ohio-state.edu


http://socrates.mps.ohio-state.edu/~ccunning/samba.html