Setting up Samba as an NT4 PDC (Quick Start): Difference between revisions
Mmuehlfeld (talk | contribs) m (Fix link) |
Mmuehlfeld (talk | contribs) m (Fix link) |
||
Line 121: | Line 121: | ||
= Windows client OS adjustments = |
= Windows client OS adjustments = |
||
See: [[ |
See: [[Required_Settings_for_Samba_NT4_Domains#Joining_Windows_7_or_later_.2F_Windows_Server_2008_or_later_to_a_Samba_NT4-style_domain|Required settings to join Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain]]. |
||
Revision as of 00:35, 27 August 2016
Introduction
In some environments it is still necessary to run a Samba NT4-style PDC. Consider this guide as a quickstart, to setup a minimum installation with one administrative (root) and one user account (demoUser). In this minimized configuration, machine accounts need to be created manually on the PDC as well. Both - user and machine accounts - are stored within the Samba internal "tdbsam" database. Of course it's possible to extend the setup with additional features, like OpenLDAP backend support, automatic machine account creation, etc. which is not part of this guide.
See the host information used in documentation page for used paths, hostnames, etc.
Preconditions
We assume the following actions are already finished on the future PDC:
Configure smb.conf
- Locate the smb.conf file of your installation
# smbd -b | grep "CONFIGFILE" CONFIGFILE: /usr/local/samba/etc/smb.conf
- Open the smb.conf with your favorite text editor and replace its content with the following:
[global] netbios name = PDC workgroup = SAMDOM security = User passdb backend = tdbsam username map = /usr/local/samba/etc/username.map domain logons = Yes # Uncomment the following line, if Windows 10 machines should be able # to log on to your NT4-style domain. For further details, click here. #server max protocol = NT1 log file = /var/log/samba/%m log level = 1
- This is a minimum configuration, that sets up an NT4-style PDC with a local tdbsam database. Please see the smb.conf man page, to understand each parameters purpose and its configured value.
- Create the file referred to in the "username map" parameter and fill it with the following content, to map the domain administrator to the local root account:
root = administrator
- Start smbd and nmbd. This step is Operating System specific! Please consult your OS documentation for further details.
User creation
- Create a local Unix user account "demoUser". Omit the parameter "-M", if a home directory is required. It's not necessary to assign a valid shell to the account, if no shell access (e. g. via SSH) is required.
# useradd -M -s /sbin/nologin demoUser
- Enable the demoUser account
# passwd demoUser Enter new UNIX password: Passw0rd Retype new UNIX password: Passw0rd passwd: password updated successfully
- This password is only for the local login and not to access the domain through Samba. Setting a local password is required - otherwise the account stays in a locked state and Samba denies the login. Having a password assigned to a Samba-only account is not a security problem, because no shell was assigned in the previous step. Due to that setting, shell logins are denied anyway.
- Add the root and demoUser accounts to the Samba database
# smbpasswd -a root New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
# smbpasswd -a demoUser New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
- The passwords assigned in this steps are the ones used to authenticate against Samba and to log into the domain.
- Note: On the very first run of "smbpasswd", you might notice a message, that passdb.tdb was converted from version 0.0. This appears when the file didn't exist and is an expected behaviour.
- Enable both accounts in the Samba database
# smbpasswd -e root Enabled user root.
# smbpasswd -e demoUser Enabled user demoUser.
Machine account creation
The machine accounts are created similar to user accounts, but have a $ (dollar sign) appended to their names. In the following, we assume "M1" as the the name of the machine, that should be joined to the domain.
- Create a local Unix user account
# useradd -M -s /sbin/nologin M1$
- Enable the machine account in the Samba database. Please pay attention to the "-m" parameter, that indicates that the created is a machine trust account!
# smbpasswd -m -a M1$ Added user M1$.
Windows client OS adjustments
Join the client to the domain
See:
Use the "administrator" account to join the "SAMDOM" domain.
Further steps
See the user documentation page for further documentation, like setting up home drives, implementing roaming profiles, setting up a print server, etc.