Setting up Samba as an NT4 PDC (Quick Start): Difference between revisions

From SambaWiki
m (Fix link)
(Moved "server max protocol" out of the config snippet into a separate and optional step. This way it's clearer and more obvious. Inside the config snippet, it was easy to overlook.)
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Samba officially supports in the latest version acting as an NT4 primary domain controller (PDC).
In some environments it is still necessary to run a Samba NT4-style PDC. Consider this guide as a quickstart, to setup a minimum installation with one administrative (root) and one user account (demoUser). In this minimized configuration, machine accounts need to be created manually on the PDC as well. Both - user and machine accounts - are stored within the Samba internal "tdbsam" database. Of course it's possible to extend the setup with additional features, like OpenLDAP backend support, automatic machine account creation, etc. which is not part of this guide.


However, in case of new installations for a domain environment we recommend to set up Samba as an [[Active_Directory_Domain_Controller|Active Directory (AD) domain controller (DC)]], because Microsoft officially stopped the support of Windows NT4 at the end of 2004. Even if later published Windows versions can still join an NT4 domain, any future security or enhancement update can break or disable this deprecated feature. For example, Windows 7 and later already require modifications on the client side and Windows 10 additional on the PDC to operate in an NT4 domain. For details, see [[Required_Settings_for_Samba_NT4_Domains|Required Settings for Samba NT4 Domains]].
'''See the [[Host_information_used_in_documentation|host information used in documentation]] page for used paths, hostnames, etc.'''

The following documentation is a minimal quick start guide to set up Samba as an NT4 PDC. You have to create user and machine accounts manually on the PDC which are stored within the Samba internal <code>tdbsam</code> database. You can later enhance this setup with additional features, such as OpenLDAP back end support.




Line 11: Line 13:
= Preconditions =
= Preconditions =


The documentation assumes that:
We assume the following actions are already finished on the future PDC:

* the operating system is installed.
* the network on the host is set up and working.
* a [[Samba_Release_Planning|supported]] Samba version is [[Installing_Samba|installed]].


* Operating system installed
* Network set up and working
* A [[Samba_Release_Planning|supported]] Samba version is [[Installing_Samba|installed]]








= Set up the Primary Domain Controller =


To set up the Primary Domain Controller (PDC):
= Configure smb.conf =


* Locate the smb.conf file of your installation
* To locate the path of the <code>smb.conf</code> file Samba uses, run:


# smbd -b | grep "CONFIGFILE"
# smbd -b | grep "CONFIGFILE"
CONFIGFILE: /usr/local/samba/etc/smb.conf
CONFIGFILE: /usr/local/samba/etc/smb.conf


* Use the following content in your <code>smb.conf</code> file:
* Open the smb.conf with your favorite text editor and replace its content with the following:


[global]
[global]
Line 39: Line 43:
domain logons = Yes
domain logons = Yes
# Uncomment the following line, if Windows 10 machines should be able
# to log on to your NT4-style domain. For further details, click [[Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_are_currently_no_logon_servers_available_to_service_the_logon_request.|here]].
#server max protocol = NT1
log file = /var/log/samba/%m
log file = /var/log/samba/%m
log level = 1
log level = 1


: This is a minimum configuration, that sets up an NT4-style PDC with a local tdbsam database. Please see the smb.conf man page, to understand each parameters purpose and its configured value.
: This is a minimum configuration, to set up an NT4 PDC using a local <code>tdbsam</code> database. For details about the parameters, see the <code>smb.conf (5)</code> man page.

* Optionally, to enable Windows 10 and Windows Server 2016 and later to connect to this Samba server, additionally set the following in the <code>[global]</code> section in your <code>smb.conf</code> file:
server max protocol = NT1
: For details, see [[Required_Settings_for_Samba_NT4_Domains#Windows_10:_There_Are_Currently_No_Logon_Servers_Available_to_Service_the_Logon_Request|Required Settings for Samba NT4 Domains]].


* Create the file referred to in the "username map" parameter and fill it with the following content, to map the domain administrator to the local root account:
* Create the user name mapping file <code>/usr/local/samba/etc/username.map</code> with the following content:


root = administrator
root = administrator


: This maps the NT4 account <code>administrator</code> to the local <code>root</code> user.
* Start smbd and nmbd. This step is Operating System specific! Please consult your OS documentation for further details.


* Start the <code>smbd</code> and <code>nmbd</code> daemons.








= User creation =


= User Account Creation =
* Create a local Unix user account "demoUser". Omit the parameter "-M", if a home directory is required. It's not necessary to assign a valid shell to the account, if no shell access (e. g. via SSH) is required.

To create a <code>demoUser</code> user account in the NT4 domain:

* Create the account on the local system:


# useradd -M -s /sbin/nologin demoUser
# useradd -M -s /sbin/nologin demoUser


: Omit the <code>-M</code> parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
* Enable the demoUser account

* To enable the <code>demoUser</code>x account on the local system:


# passwd demoUser
# passwd demoUser
Line 72: Line 82:
passwd: password updated successfully
passwd: password updated successfully


: This password is only for the local login and not to access the domain through Samba. Setting a local password is required - otherwise the account stays in a locked state and Samba denies the login. Having a password assigned to a Samba-only account is not a security problem, because no shell was assigned in the previous step. Due to that setting, shell logins are denied anyway.
: This password is only required for local log ins. Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.


* Add the root and demoUser accounts to the Samba database
* Add the <code>root</code> and <code>demoUser</code> accounts to the Samba database:


# smbpasswd -a root
# smbpasswd -a root
Line 86: Line 96:
Added user demoUser.
Added user demoUser.


:The passwords assigned in this steps are the ones used to authenticate against Samba and to log into the domain.
: The passwords assigned in this step are the ones used by the users to log in to the domain.


* To enable both Samba accounts:
:''Note:'' On the very first run of "smbpasswd", you might notice a message, that passdb.tdb was converted from version 0.0. This appears when the file didn't exist and is an expected behaviour.

* Enable both accounts in the Samba database


# smbpasswd -e root
# smbpasswd -e root
Line 102: Line 110:




= Machine account creation =
= Machine Account creation =


To create a machine account for the domain member <code>M1</code>:
The machine accounts are created similar to user accounts, but have a $ (dollar sign) appended to their names. In the following, we assume "M1" as the the name of the machine, that should be joined to the domain.


{{Imbox
* Create a local Unix user account
| type = note
| text = Machine accounts use a trailing <code>$</code> sign.
}}

* Create the local Unix user account:


# useradd -M -s /sbin/nologin M1$
# useradd -M -s /sbin/nologin M1$


* Enable the machine account:
* Enable the machine account in the Samba database. Please pay attention to the "-m" parameter, that indicates that the created is a machine trust account!


# smbpasswd -m -a M1$
# smbpasswd -m -a M1$
Added user M1$.
Added user M1$.


: The <code>-m</code> parameter indicates that the account is a machine trust account.






= Windows client OS adjustments =

See: [[Required_settings_for_NT4-style_domains#Joining_Windows_7_or_later_.2F_Windows_Server_2008_or_later_to_a_Samba_NT4-style_domain|Required settings to join Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain]].






= Windows Client Operating Modifications =


Modern Windows client operating systems require some modifies to operate in an NT4 domain. For details, see [[Required_Settings_for_Samba_NT4_Domains|Required Settings for Samba NT4 Domains]].


= Join the client to the domain =


See:


* [[Joining_a_Windows_host_to_a_domain|Windows]]
* [[Joining_a_Linux/Unix_host_to_a_domain|Linux/Unix]]
* [[Joining_a_MacOSX_client_to_a_domain|MacOSX]]


Use the "administrator" account to join the "SAMDOM" domain.


= Joining a Client to the Domain =


For details, see:
* [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]]
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]]
* [[Joining_a_MacOSX_client_to_a_domain|Joining a MacOSX Client to a Domain]]






= Further steps =


----
See the [[User_Documentation|user documentation]] page for further documentation, like setting up [[User_home_drives|home drives]], [[Implementing_roaming_profiles|implementing roaming profiles]], [[Setup_a_Samba_print_server|setting up a print server]], etc.
[[Category:Domain Control]]
[[Category:NT4 Domains]]

Revision as of 13:31, 6 September 2017

Introduction

Samba officially supports in the latest version acting as an NT4 primary domain controller (PDC).

However, in case of new installations for a domain environment we recommend to set up Samba as an Active Directory (AD) domain controller (DC), because Microsoft officially stopped the support of Windows NT4 at the end of 2004. Even if later published Windows versions can still join an NT4 domain, any future security or enhancement update can break or disable this deprecated feature. For example, Windows 7 and later already require modifications on the client side and Windows 10 additional on the PDC to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.

The following documentation is a minimal quick start guide to set up Samba as an NT4 PDC. You have to create user and machine accounts manually on the PDC which are stored within the Samba internal tdbsam database. You can later enhance this setup with additional features, such as OpenLDAP back end support.



Preconditions

The documentation assumes that:

  • the operating system is installed.
  • the network on the host is set up and working.
  • a supported Samba version is installed.



Set up the Primary Domain Controller

To set up the Primary Domain Controller (PDC):

  • To locate the path of the smb.conf file Samba uses, run:
# smbd -b | grep "CONFIGFILE"
   CONFIGFILE: /usr/local/samba/etc/smb.conf
  • Use the following content in your smb.conf file:
[global]
        netbios name = PDC
        workgroup = SAMDOM
        security = User

        passdb backend = tdbsam
        username map = /usr/local/samba/etc/username.map

        domain logons = Yes

        log file = /var/log/samba/%m
        log level = 1
This is a minimum configuration, to set up an NT4 PDC using a local tdbsam database. For details about the parameters, see the smb.conf (5) man page.
  • Optionally, to enable Windows 10 and Windows Server 2016 and later to connect to this Samba server, additionally set the following in the [global] section in your smb.conf file:
 server max protocol = NT1
For details, see Required Settings for Samba NT4 Domains.
  • Create the user name mapping file /usr/local/samba/etc/username.map with the following content:
root = administrator
This maps the NT4 account administrator to the local root user.
  • Start the smbd and nmbd daemons.



User Account Creation

To create a demoUser user account in the NT4 domain:

  • Create the account on the local system:
# useradd -M -s /sbin/nologin demoUser
Omit the -M parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
  • To enable the demoUserx account on the local system:
# passwd demoUser
Enter new UNIX password: Passw0rd
Retype new UNIX password: Passw0rd
passwd: password updated successfully
This password is only required for local log ins. Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
  • Add the root and demoUser accounts to the Samba database:
# smbpasswd -a root
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
The passwords assigned in this step are the ones used by the users to log in to the domain.
  • To enable both Samba accounts:
# smbpasswd -e root
Enabled user root.
# smbpasswd -e demoUser
Enabled user demoUser.



Machine Account creation

To create a machine account for the domain member M1:

  • Create the local Unix user account:
# useradd -M -s /sbin/nologin M1$
  • Enable the machine account:
# smbpasswd -m -a M1$
Added user M1$.
The -m parameter indicates that the account is a machine trust account.



Windows Client Operating Modifications

Modern Windows client operating systems require some modifies to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.



Joining a Client to the Domain

For details, see: