22.6.3. Domain Controller
A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user/group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user/group database integrity is called the Security Account Manager (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment.
In a Samba environment, there can be only one PDC and zero or more BDCs.
Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs can coexist.
126.96.36.199. Primary Domain Controller (PDC) using
The simplest and most common implementation of a Samba PDC uses the
tdbsampassword database backend. Planned to replace the aging
tdbsamhas numerous improvements that are explained in more detail in Section 22.8, “Samba Account Information Databases”. The
passdb backenddirective controls which backend is to be used for the PDC.
[global] workgroup = DOCS netbios name = DOCS_SRV passdb backend = tdbsam security = user add user script = /usr/sbin/useradd -m "%u" delete user script = /usr/sbin/userdel -r "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/sbin/usermod -G "%g" "%u" add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u" # The following specifies the default logon script # Per user logon scripts can be specified in the user # account using pdbedit logon script = logon.bat # This sets the default profile path. # Set per user paths with pdbedit logon drive = H: domain logons = Yes os level = 35 preferred master = Yes domain master = Yes [homes] comment = Home Directories valid users = %S read only = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts browseable = No read only = No # For profiles to work, create a user directory under the # path shown.
mkdir -p /var/lib/samba/profiles/john[Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = No browseable = No guest ok = Yes profile acls = Yes # Other resource shares ... ...
To provide a functional PDC system which uses the
tdbsamfollow these steps:
- Use a configuration of the
smb.conffile as shown in the example above.
- Add the root user to the Samba password database.
smbpasswd -a rootProvide the password here.
- Start the
- Make sure all profile, user, and netlogon directories are created.
- Add groups that users can be members of.
groupadd -f users
groupadd -f nobody
groupadd -f ntadmins
- Associate the UNIX groups with their respective Windows groups.
net groupmap add ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Domain Guests" unixgroup=nobody
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
- Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command:
net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
Keep in mind that Windows systems prefer to have a primary group which is mapped to a domain group such as Domain Users.
Windows groups and users use the same namespace thus not allowing the existence of a group and a user with the same name like in UNIX.
If you need more than one domain controller or have more than 250 users, do not use a
tdbsamauthentication backend. LDAP is recommended in these cases.