Setting up Samba as an NT4 PDC (Quick Start)
Introduction
Samba officially supports in the latest version acting as an NT4 primary domain controller (PDC).
However, in case of new installations for a domain environment we recommend to set up Samba as an Active Directory (AD) domain controller (DC), because Microsoft offically stopped the support of Windows NT4 at the end of 2004. Even if later published Windows versions can still join an NT4 domain, any future security or enhancement update can break or disable this deprecated feature. For example, Windows 7 and later already require modifications on the client side and Windows 10 additional on the PDC to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.
The following documentation is a minimal quick start guide to set up Samba as an NT4 PDC. You have to create user and machine accounts manually on the PDC which are stored within the Samba internal "tdbsam" database. You can later enhance this setup with additional features, such as OpenLDAP back end support.
Preconditions
The documentation assumes that:
- the operating system is installed.
- the network on the host is set up and working.
- a supported Samba version is installed.
Set up the Primary Domain Controller
To set up the Primary Domain Controller (PDC):
- To locate the path of the "smb.conf" file Samba uses, run:
# smbd -b | grep "CONFIGFILE" CONFIGFILE: /usr/local/samba/etc/smb.conf
- Use the following content in your "smb.conf" file:
[global] netbios name = PDC workgroup = SAMDOM security = User passdb backend = tdbsam username map = /usr/local/samba/etc/username.map domain logons = Yes # For Windows 10 client support, uncomment the following line: #server max protocol = NT1 # For details, see Required_Settings_for_Samba_NT4_Domains. log file = /var/log/samba/%m log level = 1
- This is a minimum configuration, to set up an NT4 PDC using a local tdbsam database. For details about the parameters, see the smb.conf (5) man page.
- Create the user name mapping file "/usr/local/samba/etc/username.map" with the following content:
root = administrator
- This mapps the NT4 account "administrator" to the local "root" user.
- Start the "smbd" and "nmbd" daemons.
User Account Creation
To create a "demoUser" user account in the NT4 domain:
- Create the account on the local system:
# useradd -M -s /sbin/nologin demoUser
- Omit the "-M" parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
- To enable the demoUser account on the local system:
# passwd demoUser Enter new UNIX password: Passw0rd Retype new UNIX password: Passw0rd passwd: password updated successfully
- This password is only required for local log ins. Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
- Add the "root" and "demoUser" accounts to the Samba database:
# smbpasswd -a root New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
# smbpasswd -a demoUser New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
- The passwords assigned in this step are the ones used by the users to log in to the domain.
- To enable both Samba accounts:
# smbpasswd -e root Enabled user root.
# smbpasswd -e demoUser Enabled user demoUser.
Machine Account creation
To create a machine account for the domain member "M1":
Note: Machine accounts have a trailing "$" sign.
- Create the local Unix user account:
# useradd -M -s /sbin/nologin M1$
- Enable the machine account:
# smbpasswd -m -a M1$ Added user M1$.
- The "-m" parameter indicates that the account is a machine trust account.
Windows Client Operating Modifications
Modern Windows client operating systems require some modificates to operate in an NT4 domain. For details, see Required Settings for Samba NT4 Domains.
Joining a Client to the Domain
For details, see: