Setting up Samba as an NT4 PDC (Quick Start): Difference between revisions

From SambaWiki
m (Fix link)
m (Fix link)
Line 131: Line 131:
See:
See:


* [[Joining_a_Windows_host_to_a_domain|Windows]]
* [[Joining_a_Windows_Client_or_Server_to_a_Domain|Windows]]
* [[Joining_a_Linux/Unix_host_to_a_domain|Linux/Unix]]
* [[Joining_a_Linux/Unix_host_to_a_domain|Linux/Unix]]
* [[Joining_a_MacOSX_client_to_a_domain|MacOSX]]
* [[Joining_a_MacOSX_client_to_a_domain|MacOSX]]

Revision as of 16:46, 30 August 2016

Introduction

In some environments it is still necessary to run a Samba NT4-style PDC. Consider this guide as a quickstart, to setup a minimum installation with one administrative (root) and one user account (demoUser). In this minimized configuration, machine accounts need to be created manually on the PDC as well. Both - user and machine accounts - are stored within the Samba internal "tdbsam" database. Of course it's possible to extend the setup with additional features, like OpenLDAP backend support, automatic machine account creation, etc. which is not part of this guide.

See the host information used in documentation page for used paths, hostnames, etc.



Preconditions

We assume the following actions are already finished on the future PDC:

  • Operating system installed
  • Network set up and working
  • A supported Samba version is installed



Configure smb.conf

  • Locate the smb.conf file of your installation
# smbd -b | grep "CONFIGFILE"
   CONFIGFILE: /usr/local/samba/etc/smb.conf
  • Open the smb.conf with your favorite text editor and replace its content with the following:
[global]
        netbios name = PDC
        workgroup = SAMDOM
        security = User

        passdb backend = tdbsam
        username map = /usr/local/samba/etc/username.map

        domain logons = Yes

        # Uncomment the following line, if Windows 10 machines should be able
        # to log on to your NT4-style domain. For further details, click here.
        #server max protocol = NT1

        log file = /var/log/samba/%m
        log level = 1
This is a minimum configuration, that sets up an NT4-style PDC with a local tdbsam database. Please see the smb.conf man page, to understand each parameters purpose and its configured value.
  • Create the file referred to in the "username map" parameter and fill it with the following content, to map the domain administrator to the local root account:
root = administrator
  • Start smbd and nmbd. This step is Operating System specific! Please consult your OS documentation for further details.



User creation

  • Create a local Unix user account "demoUser". Omit the parameter "-M", if a home directory is required. It's not necessary to assign a valid shell to the account, if no shell access (e. g. via SSH) is required.
# useradd -M -s /sbin/nologin demoUser
  • Enable the demoUser account
# passwd demoUser
Enter new UNIX password: Passw0rd
Retype new UNIX password: Passw0rd
passwd: password updated successfully
This password is only for the local login and not to access the domain through Samba. Setting a local password is required - otherwise the account stays in a locked state and Samba denies the login. Having a password assigned to a Samba-only account is not a security problem, because no shell was assigned in the previous step. Due to that setting, shell logins are denied anyway.
  • Add the root and demoUser accounts to the Samba database
# smbpasswd -a root
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
The passwords assigned in this steps are the ones used to authenticate against Samba and to log into the domain.
Note: On the very first run of "smbpasswd", you might notice a message, that passdb.tdb was converted from version 0.0. This appears when the file didn't exist and is an expected behaviour.
  • Enable both accounts in the Samba database
# smbpasswd -e root
Enabled user root.
# smbpasswd -e demoUser
Enabled user demoUser.



Machine account creation

The machine accounts are created similar to user accounts, but have a $ (dollar sign) appended to their names. In the following, we assume "M1" as the the name of the machine, that should be joined to the domain.

  • Create a local Unix user account
# useradd -M -s /sbin/nologin M1$
  • Enable the machine account in the Samba database. Please pay attention to the "-m" parameter, that indicates that the created is a machine trust account!
# smbpasswd -m -a M1$
Added user M1$.



Windows client OS adjustments

See: Required settings to join Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain.



Join the client to the domain

See:

Use the "administrator" account to join the "SAMDOM" domain.



Further steps

See the user documentation page for further documentation, like setting up home drives, implementing roaming profiles, setting up a print server, etc.