Sunday, January 28, 2007

Making Samba your Primary Domain Controller - Part One

My Samba installation went so well that I've decided to improve our network at the office a bit. We are a small company, but there are enough of us to make a primary domain controller a good idea. I did a bit of browsing around the 'net to see how this is done in Samba, only to discover that all of the necessary instructions seem to be for Samba 2; I'm using Samba 3. "Oh well," I say to myself, "how much different can it be?"

Before we get into the ugly details, a bit of background is in order. First, what is a Primary Domain Controller (PDC)?

Domain Controller
A PDC is actually a pretty good idea. The goal is to store a user's log on information in one place, and allow them to access different services in the domain without needing multiple authentications. Samba makes an excellent PDC. It supports roaming profiles, domain logon from all Windows clients, Windows system policies, name services, master browser, and user-level security for Windows 9x/ME clients (assuming you actually have any of those; do you? Shame on you).

What does this mean? Well, if a Windows user logs on from any machine on your network, their profile goes with them, and they'll have access to only those things that they ought to have access to, and their desktop will look just like they expect it to. This is generally a good thing, and saves lots of pointless calls for help to the sysadmin.

This is of less value to a Mac, BSD, or Linux user, but let's face it -- Windows dominates in the business world, and will for some time to come. If this is the case on your network, then Samba as a PDC might serve very well for you.

A word of caution: just as was the case with Connor McLeod, "in the end, there can only be one." Don't try this if you have a PDC on your network already. Bad things will happen. Your network might blow up. Ethernet cables will melt. Your hair will fall out. Avoid the heartache, and instead try this on a test network, get it working fine, and then use your shiny new Samba PDC as a drop in replacement for whatever you're using now.

So how do you do this? From what I can find on the 'net it looks fairly painless. The steps are as follows:

1) Install Samba.
2) Edit smb.conf, the Samba configuration file.
3) Add machines and users.

I did see some references to Windows XP being a pain, and the Professional edition requiring a registry patch to work with Samba, but those were email messages made some time ago. From the silence on the topic for the past couple of years, I can only conclude one of two things: either Samba is not being used as a PDC by anyone now, or it works fine. I'm hoping for the latter.

I should also note that you can use your Samba PDC in a variety of other ways, although I have not personally tried some of these. For example, I found reference to using Samba as a member of an Active Directory domain (update: this is natively supported in Samba 3.0x), and there are a number of other suggestions in this article. A lot of information is dated, and needs to be tested, but I plan on trying a few different things.

In part II, I'll cover the installation and configuration.