22.6.3. Domain Controller
22.214.171.124. Primary Domain Controller (PDC) using
tdbsampassword database backend. Planned to replace the aging
tdbsamhas numerous improvements that are explained in more detail in Section 22.8, “Samba Account Information Databases”. The
passdb backenddirective controls which backend is to be used for the PDC.
[global] workgroup = DOCS netbios name = DOCS_SRV passdb backend = tdbsam security = user add user script = /usr/sbin/useradd -m "%u" delete user script = /usr/sbin/userdel -r "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/sbin/usermod -G "%g" "%u" add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u" # The following specifies the default logon script # Per user logon scripts can be specified in the user # account using pdbedit logon script = logon.bat # This sets the default profile path. # Set per user paths with pdbedit logon drive = H: domain logons = Yes os level = 35 preferred master = Yes domain master = Yes [homes] comment = Home Directories valid users = %S read only = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts browseable = No read only = No # For profiles to work, create a user directory under the # path shown.
mkdir -p /var/lib/samba/profiles/john[Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = No browseable = No guest ok = Yes profile acls = Yes # Other resource shares ... ...
tdbsamfollow these steps:
- Use a configuration of the
smb.conffile as shown in the example above.
- Add the root user to the Samba password database.
smbpasswd -a rootProvide the password here.
- Start the
- Make sure all profile, user, and netlogon directories are created.
- Add groups that users can be members of.
groupadd -f users
groupadd -f nobody
groupadd -f ntadmins
- Associate the UNIX groups with their respective Windows groups.
net groupmap add ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Domain Guests" unixgroup=nobody
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
- Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command:
net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
tdbsamauthentication backend. LDAP is recommended in these cases.