Simple Samba PDC on Debian GNU/Linux 4.0 (Etch)
Introduction
We’ve been using Samba in the office since we initially set up the office network but we’ve been using it as a simple fileshare. As we grow the company, managing individual desktops is becoming more of a headache and I’m investigating various solutions.
Samba has had the ability to run as a Windows domain controller for ages. They recommend you install an LDAP server if you have a complex network, more than 250 users or require database replication (one or more backup domain controllers). So far I’ve been reluctant to roll out an LDAP server for our network – it is extremely powerful but the pain of the initial setup hasn’t been justified yet. In addition, the management tools for LDAP are still more complex than they need to be imho.
Thankfully Samba also supports a less complex backend called tdbsam (for those of you familiar with Samba, this is a replacement for the smbpasswd file format which stores additional data over and above the smbpasswd format allowing better support for account and system access controls as seen with Windows NT/2000/2003-based systems). For the moment tdbsam sounds like it will meet our needs perfectly – we want a solution which will involve a minimum of maintenance and will allow our desktop Windows XP Pro systems to join a network and avail of services including centralised authentication, roaming profiles and network shares.
Configuration
Configuration of a basic Samba Primary Domain Controller (PDC – Microsoft’s terminology for the main Windows server – if you want to have failover servers which step in if the PDC goes down you install 1 or more BDCs – Backup Domain Controllers) is pretty straightforward – there is one configuration file you have to edit. The Samba project provide an excellent set of documentation in the Samba HOWTO Collection. It covers pretty much every configuration scenario you could be interested in. Unfortunately it does require you to do some reading and who wants to do that these days? Luckily we’re going to cover the basics of a PDC here … if you need to do something fancier you should probably start by perusing the HOWTO.
I’m going to walk through the configuration file I’ve configured on our server (with the domain and servers names changed for security reasons) and explain the various configurations. If this is all too much for now, then skip to the end where you can download the configuration file, replace the server and domain names and drop it into your Samba configuration for a working PDC. Note that these instructions are for Samba 3.0.24 running on Debian GNU/Linux 4.0 (Etch). Your mileage may vary on other versions of Samba or other Linux distributions and operating systems.
The smb.conf starts with a section for server settings called global. This section is followed by other sections describing particular shares and services.
[global]
workgroup = EXAMPLEDOMAIN
netbios name = EXAMPLESERVER
server string = %h server (Samba %v)
Here we specify that we want Samba to act as a server for a domain called EXAMPLEDOMAIN and that our Windows networking name is EXAMPLESERVER (this should normally be picked up and set from your server hostname but I’ve seen some wierd problems when this isn’t picked up correctly so it’s no harm to set it explicitly).
security = user
domain master = yes
preferred master = yes
domain logons = yes
This is effectively where we configure the server as a PDC. The setting security = user tells Samba to only allow people to connect who supply a valid username and password. The other settings configure Samba as the master browser for a domain/workgroup and act as a domain controller for the domain/workgroup.
os level = 40
This values influences whether Samba will become the local master browser for a subnet – if Samba is acting as PDC it is generally a good idea to set this high.
wins support = yes
dns proxy = yes
This enables Samba to operate as a WINS server on your network (WINS is used by Windows clients to resolve computer names to computer addresses). Normally a good idea if you are running as PDC. The dns proxy setting allows Samba to fall back to using DNS if the windows (netbios) name for the system has not been registered.
log file = /var/log/samba/log.%m
max log size = 1000
log level = 2
syslog = 0
These settings relate to system logging functionality. Note that you can increase log level for debugging purposes. A log level of 1 gives some information about what is happening, a log level of 2 gives enough information to debug most basic problems and a log level of 3 gives you lots and lots of information. Log levels higher than 3 will really only be useful to developers who need detailed information about Samba internals. The log file line configures Samba to create a single log-file for each Windows client that connects to the server.
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
guest account = nobody
unix password sync = yes
passwd program = /usr/bin/passwd %u
pam password change = yes
Here we configure the password settings. Note that we’re using tdbsam as our backend (rather than smbpasswd or LDAP). Note also that we have configured Samba (unix password sync) to change our Linux password any time we change our Samba password (by default they are stored in 2 separate files on the system). For this scheme to work, you should always use the smbpasswd command to change your system password and not the passwd command. Note that you can also change your password when logged in to a Windows client by pressing CTRL-ALT-DEL and clicking on Change Password.
logon path = \\%L\profiles\%U
logon drive = U:
logon home = \\%L\%U
logon script = logon.cmd
You may wish to customise some of the logon settings. The logon path line specifies where roaming profiles will be stored on the server. Roaming profiles include per-user registry settings (in a file called NTUSER.DAT), My Documents and various application specific configuration files. They are a useful way of keeping a similar environment when you move between systems. We have specified that roaming profiles will be stored in a dedicated share called profiles in a subdirectory with the user’s login name. To ensure this works you will need to manually create profile directories under here for each user. Another approach is to configure logon path to point to a subdirectory in the user’s home directory. The logon path setting specifies which drive letter will be used for user’s home directory on the Samba server. Using letters from the end of the alphabet is advisable to avoid clashing with drive letters used for local drives. The logon home is set as the user’s home directory on the Samba server – if you have a more complex environment you may want to change this to something else. The logon script is a Windows script (or batch file) run by each user when they login – it can used for configure some settings for the user including setting up standard Windows shares and so on.
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g windowsmachines -s /bin/false %u
The add machine script line is distribution specific – different distributions use variations of the useradd command which take different parameters. The above command works on Debian 4.0 (Etch). Note that you need to add a group on your Samba server called windowsmachines – this is the group that Windows machine accounts will belong to.
load printers = yes
printing = cups
printcap name = cups
These lines configure your printer. I’m assuming you have a CUPS server installed. This will automatically share your CUPS configure printers via Samba.
socket options = TCP_NODELAY
This parameter lets you tweak your network settings – the general recommendation is to leave this at the defaults unless you are prepared to run tests of each change you make to determine whether it improves the performance of your Samba server or degrades it (a lot of options can reduce the performance of your server if used in the wrong context).
That concludes the global settings section. The following sections are some standard shares you should provide and a single example share called office data which you can customise. Note that you can add as many sections as you require shares. We will discuss the print related shares below in a follow-up on blog about configuring printers with Samba (there are a few minor problems I have to iron out there before I document my configuration).
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
hide files = /desktop/desktop.ini/ntuser.ini/NTUSER.*/RECYCLER/
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
public = yes
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
write list = root, @ntadmin
printer admin = root, @ntadmin
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/maryo
[profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[office data]
path = “/data”
comment = office data files
writable = yes
locking = yes
public = yes
write list = @staff
create mask = 0775
directory mask = 0775
For the Impatient
- Add a group on your Debian server called windowsmachines.
- Install the samba package on your server.
- Download smb.conf and copy it over /etc/samba/smb.conf on your Samba server.
- Change the workgroup and netbios name settings to your own.
- Restart Samba
- Set your root account samba password with the smbpasswd command (it is recommended that you use a different password than your standard root password for security).
- For each user using this PDC you will need to create a subdirectory under /var/lib/samba/profiles with their username, for example,
mkdir -p /var/lib/samba/profiles/smulcahy
chown smulcahy:users /var/lib/samba/profiles/smulcahy
- To add a new user to your domain, do the following on your Debian server,
- Add a Linux account for the new user:
adduser smulcahy
- Add a Samba account for the new user:
pdbedit -a smulcahy
- Set the initial password for the new user:
smbpasswd smulcahy
The user can subsequently change their password from Windows in the usual way.
- Add a Linux account for the new user:
- To join new machines to your domain, follow the standard Windows procedure of clicking on Start/Control Panel/System/Computer Name/Network Identification Wizard and use root when prompted for a user with Administrative privileges.
Next Steps
I’m hoping this is the first in a series of Samba related blogs. Some of the other items I want to look at are as follows (if there is something else you’d like me to talk about drop me a line and if it’s relevant I’ll give a shot at investigating it as I roll out our Samba server).
- Printers
- Policies
Thanks, see you soon.
Acknowledgement: I’d like to thank Mick Lohan for his feedback and testing of this procedure. Thanks Mick!
9 Comments to Simple Samba PDC on Debian GNU/Linux 4.0 (Etch)
We have been using Samba DCs for years and it works quite well. We do have to implement the “sign or seal” reghack on the XP boxen. For various reasons we are going AD soon but the Samba DCs are still chugging away nicely 🙂
February 22, 2007
Hey Mark, good to hear from you. Hope all’s well in Toronto. I believe the sign or seal reghack is no longer neccesary, at least thats what someone on the Samba mailing list suggested in this post – http://lists.samba.org/archive/samba/2007-February/129773.html.
February 22, 2007
Sweet! got it going on my vmware linux box. Makes a simple solution. Thanks
February 22, 2007
I’ve made 2 minor updates to the smb.conf, I’ve enhanced the ‘hide files’ line and added the same line to the profiles share. This fixes a problem whereby some hidden system files (mainly desktop.ini) were showing up on screen when the user logs in (see http://www-gatago.com/linux/samba/14514952.html for some discussion of this problem).
It sounds like the correct solution if you want full support for attributes like HIDDEN and SYSTEM is to use the samba parameter ‘store dos attributes = yes’ and to mount the filesystems used by Samba with the user_xattr mount option. I’m not sure I need this additional level of complexity yet though (and I’ll need to investigate the user_xattr option further before applying it blindly).
Is anyone else using this?
February 23, 2007
I think I read that too Steve but given the move to AD by the time we get around to updating Samba on the DC it’ll be moot. As to how things are: George Bush is screwing with my life here in Toronto but that’s because of the Daylight Savings Time change which Ontario is going along with 🙂
February 23, 2007
Whoops, you tripped over our spam filter there – not sure why. I’m having lots of trouble with Windows policies on my Samba connected clients – http://lists.samba.org/archive/samba/2007-February/129803.html and I’m running out of ideas quickly. About the only thing remaining for me to do is try a different network card in client. I’ll be very upset if I find out that that is the cause.
February 22, 2008
You might need:
7b: add the group ntadmin: addgroup ntadmin
8.4: optionally add the new user to the ntadmin group: usermod -G ntadmin -a smulcahy
[…] is a follow on to my previous blog – Simple Samba PDC on Debian GNU/Linux 4.0 (Etch) where we looked at how to configure Samba as a simple PDC for your network. One of the benefits of […]
[…] making increasing use of LDAP in our office infrastructure. I spoke about a simple Samba PDC configuration last year. The Samba team recommend using LDAP as your Samba password backend if you require all of […]
February 22, 2007