Setting up Samba as an NT4 PDC (Quick Start): Difference between revisions
Mmuehlfeld (talk | contribs) m (Fixed typos, added markups) |
Mmuehlfeld (talk | contribs) (Moved "server max protocol" out of the config snippet into a separate and optional step. This way it's clearer and more obvious. Inside the config snippet, it was easy to overlook.) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 43: | Line 43: | ||
domain logons = Yes |
domain logons = Yes |
||
# For Windows 10 client support, uncomment the following line: |
|||
⚫ | |||
⚫ | |||
log file = /var/log/samba/%m |
log file = /var/log/samba/%m |
||
Line 52: | Line 48: | ||
: This is a minimum configuration, to set up an NT4 PDC using a local <code>tdbsam</code> database. For details about the parameters, see the <code>smb.conf (5)</code> man page. |
: This is a minimum configuration, to set up an NT4 PDC using a local <code>tdbsam</code> database. For details about the parameters, see the <code>smb.conf (5)</code> man page. |
||
* Optionally, to enable Windows 10 and Windows Server 2016 and later to connect to this Samba server, additionally set the following in the <code>[global]</code> section in your <code>smb.conf</code> file: |
|||
⚫ | |||
⚫ | |||
* Create the user name mapping file <code>/usr/local/samba/etc/username.map</code> with the following content: |
* Create the user name mapping file <code>/usr/local/samba/etc/username.map</code> with the following content: |
||
Line 146: | Line 146: | ||
For details, see: |
For details, see: |
||
* [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]] |
* [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]] |
||
* [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]] |
|||
* [[Joining_a_Linux_or_Unix_Host_to_a_Domain|Joining a Linux or Unix Host to a Domain]] |
|||
* [[Joining_a_MacOSX_client_to_a_domain|Joining a MacOSX Client to a Domain]] |
* [[Joining_a_MacOSX_client_to_a_domain|Joining a MacOSX Client to a Domain]] |
||
---- |
|||
[[Category:Domain Control]] |
|||
[[Category:NT4 Domains]] |
Revision as of 13:31, 6 September 2017
Introduction
Samba officially supports in the latest version acting as an NT4 primary domain controller (PDC).
However, in case of new installations for a domain environment we recommend to set up Samba as an Active Directory (AD) domain controller (DC), because Microsoft officially stopped the support of Windows NT4 at the end of 2004. Even if later published Windows versions can still join an NT4 domain, any future security or enhancement update can break or disable this deprecated feature. For example, Windows 7 and later already require modifications on the client side and Windows 10 additional on the PDC to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.
The following documentation is a minimal quick start guide to set up Samba as an NT4 PDC. You have to create user and machine accounts manually on the PDC which are stored within the Samba internal tdbsam
database. You can later enhance this setup with additional features, such as OpenLDAP back end support.
Preconditions
The documentation assumes that:
- the operating system is installed.
- the network on the host is set up and working.
- a supported Samba version is installed.
Set up the Primary Domain Controller
To set up the Primary Domain Controller (PDC):
- To locate the path of the
smb.conf
file Samba uses, run:
# smbd -b | grep "CONFIGFILE" CONFIGFILE: /usr/local/samba/etc/smb.conf
- Use the following content in your
smb.conf
file:
[global] netbios name = PDC workgroup = SAMDOM security = User passdb backend = tdbsam username map = /usr/local/samba/etc/username.map domain logons = Yes log file = /var/log/samba/%m log level = 1
- This is a minimum configuration, to set up an NT4 PDC using a local
tdbsam
database. For details about the parameters, see thesmb.conf (5)
man page.
- Optionally, to enable Windows 10 and Windows Server 2016 and later to connect to this Samba server, additionally set the following in the
[global]
section in yoursmb.conf
file:
server max protocol = NT1
- For details, see Required Settings for Samba NT4 Domains.
- Create the user name mapping file
/usr/local/samba/etc/username.map
with the following content:
root = administrator
- This maps the NT4 account
administrator
to the localroot
user.
- Start the
smbd
andnmbd
daemons.
User Account Creation
To create a demoUser
user account in the NT4 domain:
- Create the account on the local system:
# useradd -M -s /sbin/nologin demoUser
- Omit the
-M
parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
- To enable the
demoUser
x account on the local system:
# passwd demoUser Enter new UNIX password: Passw0rd Retype new UNIX password: Passw0rd passwd: password updated successfully
- This password is only required for local log ins. Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
- Add the
root
anddemoUser
accounts to the Samba database:
# smbpasswd -a root New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
# smbpasswd -a demoUser New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
- The passwords assigned in this step are the ones used by the users to log in to the domain.
- To enable both Samba accounts:
# smbpasswd -e root Enabled user root.
# smbpasswd -e demoUser Enabled user demoUser.
Machine Account creation
To create a machine account for the domain member M1
:
Machine accounts use a trailing $ sign. |
- Create the local Unix user account:
# useradd -M -s /sbin/nologin M1$
- Enable the machine account:
# smbpasswd -m -a M1$ Added user M1$.
- The
-m
parameter indicates that the account is a machine trust account.
Windows Client Operating Modifications
Modern Windows client operating systems require some modifies to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.
Joining a Client to the Domain
For details, see:
- Joining a Windows Client or Server to a Domain
- Setting up Samba as a Domain Member
- Joining a MacOSX Client to a Domain