Setting up Samba as an NT4 PDC (Quick Start): Difference between revisions
Mmuehlfeld (talk | contribs) m (Fix link) |
Mmuehlfeld (talk | contribs) (Moved "server max protocol" out of the config snippet into a separate and optional step. This way it's clearer and more obvious. Inside the config snippet, it was easy to overlook.) |
||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
Samba officially supports in the latest version acting as an NT4 primary domain controller (PDC). |
|||
In some environments it is still necessary to run a Samba NT4-style PDC. Consider this guide as a quickstart, to setup a minimum installation with one administrative (root) and one user account (demoUser). In this minimized configuration, machine accounts need to be created manually on the PDC as well. Both - user and machine accounts - are stored within the Samba internal "tdbsam" database. Of course it's possible to extend the setup with additional features, like OpenLDAP backend support, automatic machine account creation, etc. which is not part of this guide. |
|||
However, in case of new installations for a domain environment we recommend to set up Samba as an [[Active_Directory_Domain_Controller|Active Directory (AD) domain controller (DC)]], because Microsoft officially stopped the support of Windows NT4 at the end of 2004. Even if later published Windows versions can still join an NT4 domain, any future security or enhancement update can break or disable this deprecated feature. For example, Windows 7 and later already require modifications on the client side and Windows 10 additional on the PDC to operate in an NT4 domain. For details, see [[Required_Settings_for_Samba_NT4_Domains|Required Settings for Samba NT4 Domains]]. |
|||
'''See the [[Host_information_used_in_documentation|host information used in documentation]] page for used paths, hostnames, etc.''' |
|||
The following documentation is a minimal quick start guide to set up Samba as an NT4 PDC. You have to create user and machine accounts manually on the PDC which are stored within the Samba internal <code>tdbsam</code> database. You can later enhance this setup with additional features, such as OpenLDAP back end support. |
|||
Line 11: | Line 13: | ||
= Preconditions = |
= Preconditions = |
||
The documentation assumes that: |
|||
We assume the following actions are already finished on the future PDC: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
= Set up the Primary Domain Controller = |
|||
To set up the Primary Domain Controller (PDC): |
|||
= Configure smb.conf = |
|||
* |
* To locate the path of the <code>smb.conf</code> file Samba uses, run: |
||
# smbd -b | grep "CONFIGFILE" |
# smbd -b | grep "CONFIGFILE" |
||
CONFIGFILE: /usr/local/samba/etc/smb.conf |
CONFIGFILE: /usr/local/samba/etc/smb.conf |
||
* Use the following content in your <code>smb.conf</code> file: |
|||
* Open the smb.conf with your favorite text editor and replace its content with the following: |
|||
[global] |
[global] |
||
Line 39: | Line 43: | ||
domain logons = Yes |
domain logons = Yes |
||
# Uncomment the following line, if Windows 10 machines should be able |
|||
# to log on to your NT4-style domain. For further details, click [[Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_are_currently_no_logon_servers_available_to_service_the_logon_request.|here]]. |
|||
⚫ | |||
log file = /var/log/samba/%m |
log file = /var/log/samba/%m |
||
log level = 1 |
log level = 1 |
||
: This is a minimum configuration, |
: This is a minimum configuration, to set up an NT4 PDC using a local <code>tdbsam</code> database. For details about the parameters, see the <code>smb.conf (5)</code> man page. |
||
* Optionally, to enable Windows 10 and Windows Server 2016 and later to connect to this Samba server, additionally set the following in the <code>[global]</code> section in your <code>smb.conf</code> file: |
|||
⚫ | |||
: For details, see [[Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request|Required Settings for Samba NT4 Domains]]. |
|||
* Create the |
* Create the user name mapping file <code>/usr/local/samba/etc/username.map</code> with the following content: |
||
root = administrator |
root = administrator |
||
: This maps the NT4 account <code>administrator</code> to the local <code>root</code> user. |
|||
* Start smbd and nmbd. This step is Operating System specific! Please consult your OS documentation for further details. |
|||
* Start the <code>smbd</code> and <code>nmbd</code> daemons. |
|||
= User creation = |
|||
= User Account Creation = |
|||
* Create a local Unix user account "demoUser". Omit the parameter "-M", if a home directory is required. It's not necessary to assign a valid shell to the account, if no shell access (e. g. via SSH) is required. |
|||
To create a <code>demoUser</code> user account in the NT4 domain: |
|||
* Create the account on the local system: |
|||
# useradd -M -s /sbin/nologin demoUser |
# useradd -M -s /sbin/nologin demoUser |
||
: Omit the <code>-M</code> parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell. |
|||
⚫ | |||
* To enable the <code>demoUser</code>x account on the local system: |
|||
# passwd demoUser |
# passwd demoUser |
||
Line 72: | Line 82: | ||
passwd: password updated successfully |
passwd: password updated successfully |
||
: This password is only for |
: This password is only required for local log ins. Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell. |
||
* Add the root and demoUser accounts to the Samba database |
* Add the <code>root</code> and <code>demoUser</code> accounts to the Samba database: |
||
# smbpasswd -a root |
# smbpasswd -a root |
||
Line 86: | Line 96: | ||
Added user demoUser. |
Added user demoUser. |
||
:The passwords assigned in this |
: The passwords assigned in this step are the ones used by the users to log in to the domain. |
||
* To enable both Samba accounts: |
|||
:''Note:'' On the very first run of "smbpasswd", you might notice a message, that passdb.tdb was converted from version 0.0. This appears when the file didn't exist and is an expected behaviour. |
|||
* Enable both accounts in the Samba database |
|||
# smbpasswd -e root |
# smbpasswd -e root |
||
Line 102: | Line 110: | ||
= Machine |
= Machine Account creation = |
||
To create a machine account for the domain member <code>M1</code>: |
|||
The machine accounts are created similar to user accounts, but have a $ (dollar sign) appended to their names. In the following, we assume "M1" as the the name of the machine, that should be joined to the domain. |
|||
{{Imbox |
|||
⚫ | |||
| type = note |
|||
| text = Machine accounts use a trailing <code>$</code> sign. |
|||
}} |
|||
⚫ | |||
# useradd -M -s /sbin/nologin M1$ |
# useradd -M -s /sbin/nologin M1$ |
||
⚫ | |||
* Enable the machine account in the Samba database. Please pay attention to the "-m" parameter, that indicates that the created is a machine trust account! |
|||
# smbpasswd -m -a M1$ |
# smbpasswd -m -a M1$ |
||
Added user M1$. |
Added user M1$. |
||
: The <code>-m</code> parameter indicates that the account is a machine trust account. |
|||
= Windows client OS adjustments = |
|||
See: [[Required_settings_for_NT4-style_domains#Joining_Windows_7_or_later_.2F_Windows_Server_2008_or_later_to_a_Samba_NT4-style_domain|Required settings to join Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain]]. |
|||
= Windows Client Operating Modifications = |
|||
Modern Windows client operating systems require some modifies to operate in an NT4 domain. For details, see [[Required_Settings_for_Samba_NT4_Domains|Required Settings for Samba NT4 Domains]]. |
|||
= Join the client to the domain = |
|||
See: |
|||
* [[Joining_a_Windows_host_to_a_domain|Windows]] |
|||
* [[Joining_a_Linux/Unix_host_to_a_domain|Linux/Unix]] |
|||
⚫ | |||
Use the "administrator" account to join the "SAMDOM" domain. |
|||
= Joining a Client to the Domain = |
|||
For details, see: |
|||
* [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]] |
|||
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]] |
|||
⚫ | |||
= Further steps = |
|||
---- |
|||
See the [[User_Documentation|user documentation]] page for further documentation, like setting up [[User_home_drives|home drives]], [[Implementing_roaming_profiles|implementing roaming profiles]], [[Setup_a_Samba_print_server|setting up a print server]], etc. |
|||
[[Category:Domain Control]] |
|||
[[Category:NT4 Domains]] |
Revision as of 13:31, 6 September 2017
Introduction
Samba officially supports in the latest version acting as an NT4 primary domain controller (PDC).
However, in case of new installations for a domain environment we recommend to set up Samba as an Active Directory (AD) domain controller (DC), because Microsoft officially stopped the support of Windows NT4 at the end of 2004. Even if later published Windows versions can still join an NT4 domain, any future security or enhancement update can break or disable this deprecated feature. For example, Windows 7 and later already require modifications on the client side and Windows 10 additional on the PDC to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.
The following documentation is a minimal quick start guide to set up Samba as an NT4 PDC. You have to create user and machine accounts manually on the PDC which are stored within the Samba internal tdbsam
database. You can later enhance this setup with additional features, such as OpenLDAP back end support.
Preconditions
The documentation assumes that:
- the operating system is installed.
- the network on the host is set up and working.
- a supported Samba version is installed.
Set up the Primary Domain Controller
To set up the Primary Domain Controller (PDC):
- To locate the path of the
smb.conf
file Samba uses, run:
# smbd -b | grep "CONFIGFILE" CONFIGFILE: /usr/local/samba/etc/smb.conf
- Use the following content in your
smb.conf
file:
[global] netbios name = PDC workgroup = SAMDOM security = User passdb backend = tdbsam username map = /usr/local/samba/etc/username.map domain logons = Yes log file = /var/log/samba/%m log level = 1
- This is a minimum configuration, to set up an NT4 PDC using a local
tdbsam
database. For details about the parameters, see thesmb.conf (5)
man page.
- Optionally, to enable Windows 10 and Windows Server 2016 and later to connect to this Samba server, additionally set the following in the
[global]
section in yoursmb.conf
file:
server max protocol = NT1
- For details, see Required Settings for Samba NT4 Domains.
- Create the user name mapping file
/usr/local/samba/etc/username.map
with the following content:
root = administrator
- This maps the NT4 account
administrator
to the localroot
user.
- Start the
smbd
andnmbd
daemons.
User Account Creation
To create a demoUser
user account in the NT4 domain:
- Create the account on the local system:
# useradd -M -s /sbin/nologin demoUser
- Omit the
-M
parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
- To enable the
demoUser
x account on the local system:
# passwd demoUser Enter new UNIX password: Passw0rd Retype new UNIX password: Passw0rd passwd: password updated successfully
- This password is only required for local log ins. Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
- Add the
root
anddemoUser
accounts to the Samba database:
# smbpasswd -a root New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
# smbpasswd -a demoUser New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
- The passwords assigned in this step are the ones used by the users to log in to the domain.
- To enable both Samba accounts:
# smbpasswd -e root Enabled user root.
# smbpasswd -e demoUser Enabled user demoUser.
Machine Account creation
To create a machine account for the domain member M1
:
Machine accounts use a trailing $ sign. |
- Create the local Unix user account:
# useradd -M -s /sbin/nologin M1$
- Enable the machine account:
# smbpasswd -m -a M1$ Added user M1$.
- The
-m
parameter indicates that the account is a machine trust account.
Windows Client Operating Modifications
Modern Windows client operating systems require some modifies to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.
Joining a Client to the Domain
For details, see:
- Joining a Windows Client or Server to a Domain
- Setting up Samba as a Domain Member
- Joining a MacOSX Client to a Domain