Thursday, February 08, 2007

Making Samba your Primary Domain Controller - Part Quarto

Last time we went over installing Samba on both Linux and FreeBSD. It was pretty simple. Configuring Samba, though, can be a bit tougher. I ran into a number of difficulties, all to do with the (rather cryptic) smb.conf configuration.

Samba is controlled by a single file -- smb.conf. Depending on which operating system you favour, you'll find it in either /etc/smb.conf (most Linux distros), /etc/samba/smb.conf, or /usr/local/etc/smb.conf (FreeBSD).

Configuring smb.conf
Remember that our goal is to use Samba as a primary domain controller. Below is a minimalist smb.conf configuration that will achieve this goal (at least in theory). We have a machine named Aragorn, in a Windows domain named middleearth. We are telling Samba to set up profiles for NT/2000/XP users, and specifying who is a domain admin. We're also telling Samba how to add users to the system. Note that in smb.conf, a comment is either a '#', or a semi-colon (';'). Anything preceded by either of those symbols is ignored. I strongly encourage you to put lots and lots of comments in. It will make life much easier if you have to go in and make a change.

; name our machine and workgroup
netbios name = aragorn
workgroup = middleearth
encrypt passwords = yes

; tell samba we are a PDC
domain master = yes
local master = yes
preferred master = yes
os level = 65

; we'll probably come back to these settings,
; but they'll do for now
security = user
domain logons = yes

; logon path tells Samba where to put Windows NT/2000/XP
; roaming profiles
logon path = \\%L\profiles\%u\%m
logon script = logon.bat

logon drive = O:
; logon home is used to specify home directory and
; Windows 95/98/Me roaming profile location
;logon home = \\%L\%u\.win_profile\%m

time server = yes

; Use the names of all users in the Windows NT/2000/XP
; Administrators group who log on to the domain
domain admin group = root tcs susand

; this works on Centos Linux -- YMMV
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

; share a directory for everyone
path = /samba/shares/public
public = yes
only guest = yes
writable = yes
printable = no

; make one private to tcs
comment = tcs's stuff
path = /samba/shares/private/tcs
valid users = tcs
public = no
writable = yes
printable = no
create mask = 0765

This might seem a bit cryptic, but it actually makes sense. There are some oddities specific to this file, though, so let's go through this section a bit. First, note that we begin with a [global] tag. As you might expect, this simply states that everything that comes after this tag prior to the next one is "global" in nature. We begin in this section by setting the NetBIOS name of the Samba server. The NetBIOS name is used in UNCs that appear later in smb.conf. The next two lines are a bit odd. We appear to be naming a workgroup -- but although it reads "workgroup", we are actually setting the name of our domain. For a workgroup, using encrypted passwords is optional; when using a domain, they are required, so we'll encrypt our passwords.

The next four lines set up our Samba machine to handle browsing services. This line:
domain master = yes
looks like it is telling Samba to act as a PDC. After all, it has the word "master" and the word "primary" -- sounds important. In fact, all this line does is tell Samba to act as a domain "master browser," which handles browsing services for the domain across multiple subnets (in conjunction with the built in WINS service, which we'll get to in awhile), if necessary. These lines,
local master = yes
preferred master = yes
os level = 65
simply tell Samba to participate in browser elections and allow itself to win. To be safe, the "preferred master" and "os level" lines are there so as to ensure that Samba wins the elections.

This section,
security = user
domain logons = yes
tells Samba to handle the actual domain logons. We set security to "user" so that Samba will require a username and password (always a good thing). This is actually the default setting for Samba, and the only reason we're including it explicitly is to avoid confusion.

"domain logons" is what tells Samba we want this server to handle domain logons (finally!). To support roaming profiles inWindows NT/2000/XP clients, we have to supply Samba with a "logon path":
logon path = \\%L\profiles\%u\%m
logon script = logon.bat
The value following "logon path" refers to a share held on the Samba server where the profiles are kept. The variables %L and %u are replaced with the name of the server and the username of the logged on user, respectively (this is done automatically, by Samba, while it runs. Don't try to manually edit the file to put in your own values -- just use %L and %u).

If you put those entries into your smb.conf (and make the changes appropriate for our system, of course), you will have a functional, if bare bones, PDC running. Next time I'll go through fine tuning this and adding some additional bells and whistles.