Translation(s): none

(!) ?Discussion

This page is out of date. See Samba/DcWithLdapBackend for an overview of how to setup an old, NT4-style Samba Domain Controller. Most of the information listed here was taken from http://lucasmanual.com/mywiki/SambaDomainController (archive) and is still available there. CategoryProposedDeletion

Domain Controller, Samba - Article taken from http://lucasmanual.com/mywiki/SambaDomainController

Contents

Install Samba

AS root:

apt-get update
apt-get install samba

The default setup for samba is with user security. If you want to connect right away add user to samba smbpasswd -u username and try login in with that username and password.

Status

To see what services are available on samba use this command.
If samba is not running start it by /etc/init.d/samba start
When prompted for password, hit enter to login anonymously.

smbclient -L servername

You should see something like:

Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]
 Sharename Type Comment
 --------- ---- -------
 IPC$ IPC IPC Service (Samba 3.0.24)
Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]
 Server Comment
 --------- -------
 SERVERNAME Samba 3.0.24
 Workgroup Master
 --------- -------
 DEBIAN
 MSHOME NTSERVERNAME
 mydomainname DOMAINSERVER

This means samba has installed properly and we are ready to configure what is available on it.

Quick: Connect to samba share

To be able to use samba we have to change 2 things in samba, and add a user. Security and write permissions.
Edit /etc/samba/smb.cfg
Uncomment the security

 security = user

Find read only = yes and change it to

read only = no

Now add a password for your username:

smbpasswd -a myusername

Restart samba

/etc/init.d/samba restart

Now you can go and browse \\hostname.or.id.address.of.the.computer\lucas, or via linux file manager smb://hostname.or.id.address.of.the.computer/lucas
Provide username and password. 'myusername' and password you entered.
Above link points to your home drive. You can setup more shares later but your are done with initial samba settings.
Enjoy.

Quick: Mount Shared Folder

You need to have smbfs installed.This program enables you to mount via smbfs or cifs. If you don't do this:

apt-get update
apt-get install smbfs

[FYI]Older version of samba have used smbfs as driver to connect to windows. New driver called cifs is faster and is going to part of the kernel. We will use-t cifs instead of -t smbfs. We still need to install package smbfs because cifs uses parts of it.
To mount windows share drive you need to create a folder:

mkdir somefolder

As root or with root privileges (su root or sudo)

mount -t cifs -o username=administrator,password=password
//windowsservername/folder /home/lucas/somefolder
or
mount -t cifs -o user=administrator //windowsservername/folder /home/lucas/somefolder

The second one will prompt you for the password.
If you would like to enable a non-privilege user to have write access to share add UID option.
Option after -o separated by comma and no spaces or use quotation mark -o 'UID=lucas,username=administrator,password=password'

mount -t cifs -o UID=lucas,username=administrator,password=password //windowsservername/folder /home/lucas/somefolder

If you are connection to a domain make sure you use domain option of samba:

mount -t cifs -o UID=lucas,username=administrator,password=password,domain=mydomainname //windowsservername/folder /home/lucas/somefolder

[Optional] You can replace administrator with your username. You can also replace windowsservername with ip address //192.168.1.10/folder ....

Quick: Enable Writable Share Folder

If you want to create a shared folder that is writable by everybody you can do the following.
Change security mode from user to shared. (First line is commmented out)

#; security = user
 security = share

Then at the buttom add the following lines.

[SHARED]
comment = PMS files
path = /home/lucas/Unique
browseable = yes
#printable = no
guest account = nobody
guest ok = yes
write ok = yes
force user = lucas
#force group = lucas

Replace lucas with your username or other user that you would like to use.
Your samba share SHARED folder is ready. On windows machine go to \\COMPUTERNAME\SHARED or \192円.168.1.1\SHARED (replace 192.168.1.1 with ip address of linux machine) and you are done.

Quick: Ping netbios names from linux

Keywords: linux to windows by "full computer name", netbios lookup, nslookup

Every pc can ping each other using the netbios name which corresponds to ip address.
In windows ping netbios names is working ping mycomputer2 will ping the ip behind the name mycomputer2
You are able to ping a pc that is on dhcp.

This will enable same feature in linux

To enable linux pcs to ping netbios names you need to:

apt-get update
apt-get install winbind

Now edit this file:

vi /etc/nsswitch.conf

Change the line that starts with hosts by adding wins at the end of it.

hosts: files dns
to
hosts: files dns wins

In my Debian it looked like this:

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
to
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins

Now ping any computer you want:

ping mycomputer2

Done.

Print Server

Install CUPS

The first thing you need to do is install all your printers via cups.

apt-get update
apt-get install cupsys cupsys-client

Start cups

/etc/init.d/cupsys start

Add Printers

Go to localhost:631 and add all your printers.

This page tells you how to do it: ?DebianPrinting

Enable samba Printer sharing

Then go to /etc/samba/smb.conf
And make sure the [printers] and [Print$] section are uncommented.
Now uncomment the :

 printing = cups
 printcap name = cups

This will load the cups system printers and make them available to you.
Now type in

smbclient -L localhost
password: [hit Enter] --password is empty

You should see something like this:

 Sharename Type Comment
 --------- ---- -------
 print$ Disk Printer Drivers
 IPC$ IPC IPC Service (faxserver server)
 Departent1-Kyocera-9520DN Printer Kyocera-9520DN
 Departent1-Kyocera-9500DN Printer Kyocera-9500DN
 Departent1-HP--8000 Printer HP-8000
 Departent2-Kyocera-C5020DN Printer Kyocera-C5020N
 Departent2-Kyocera-9520DN Printer Kyocera-9520DN
 Departent2-HP-P3005 Printer HP-3005
 Departent2-HP-4000 Printer HP-4000
 Accounting-Kyocera-9520DN Printer Kyocera-9520DN
Anonymous login successful

Upload Printer Drivers to Samba

Now we need to upload our windows drivers to the samba [Print$] share so next windows client that wants to use this printer will automatically download the drivers.

Configure Samba for Domain

First we need to know our server name

uname -n
hostname -f

You should see your server name. You will put that server name everywere you see servername in this document.

Root user

We need to add our first user.

smbpasswd -a root

The SMB root password can and should be different from the unix root password.
You should see something like this.

root# smbpasswd -a root
New SMB password: XXXXXXXX
Retype new SMB password: XXXXXXXX

[page91]Now we need to map our user root to Administrator. This will allow our root account to be called administrator.
In /etc/samba create a file smbusers. In it add

#####################
#File Format
#Unix_ID = Windows_ID
#Example:
#root = Administrator
#janes = "Jane Smith"
#####################
root = Administrator

Routs

We need to let the system know that when they look for a computer they will need to use these tools in that order.
Edit /etc/nsswitch.conf and make sure it conatins:

hosts: files dns wins

pre-configuration

We need to create a folder where we will keep our profiles and netlogons, as well as data and apps folder that will be used for sharing files
Create following folders for netlogon scripts and profiles.

mkdir /home/samba
mkdir -p /home/samba/{netlogon,profiles}
chmod ug+rw /home/samba/profiles

As an alternative use install from package coreutils.

install -d -m 0755 /home/samba/netlogon
install -d -m 0775 /home/samba/profiles

[Optional]Create these folders for programs share and company documents

mkdir /data
mkdir /apps

Add users

You need to add an account for each network user. You can do it by executing these commands.
For each user you you create you need a profiles folder in /home/samba/profiles/. Replace username with the actual Login ID.

adduser username 
smbpasswd -a username
mkdir /home/samba/profiles/username
chown username:users /home/samba/profiles/username

netlogon.bat

When each user logs in, the netlogon will be executed. It needs to be in a correctly terminated with DOS encoding so we will do just that.
In file: /home/samba/netlogon/netlogon.bat write the following content(replace servername with your server name):

net time \\servername /set /yes
net use h: /home

if you are using vim to create the netlogon.bat, you are able to save it in dos convention by doing :set ff=dos just before you save the file with :w
Now we will convert it to proper DOS file:
We need to install a tool that will do it for us.

apt-get update
apt-get install tofrodos

Then issue a command

todos /home/samba/netlogon/netlogon.bat

* If you replacing a current drive you might want to remove the unmount the old one and mount a new one

net use u: /delete
net use u: \\SERVERNAME\SOME_FOLDER

You also want to check out this link which tells you how to gave yourself mope options: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Logon/WindowsNTLoginScriptTricksandTips.html

simple working smb.conf

It is time to create a smb.conf
Copy and paste this into your smb.conf. Change workgroup and netbios name.
This configuration will get your domain up and running in 30 seconds.

[global]
 #Domain name
 workgroup = yourdomainname
 #The Server Name
 netbios name = servername
 #server string = Samba
 #Time server, Workstations will set their time by this server
 time server =yes
 passdb backend = tdbsam
 #SECURITY AND LOGIN SETTINGS
 #This must be a user in PDC
 security = user
 bind interfaces only = yes
 #Windows XP/2000
 encrypt passwords = yes
 #Login in settings.
 domain logons = Yes
 #Error Logs, Comment it out when you in production.
 log level = 3
 #PDC and MASTER BROWSER SETTINGS
 #os level = 64 #Windows for master PDC. Highers windows can get is 32
 preferred master = yes
 #local master = yes
 domain master = yes ;This defines it as the Primary Domain Controller
 #Add delete users on linux and samba (keeps linux and samba accounts in sync)
 add user script = /usr/sbin/useradd -m %u
 add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
 delete user script = /usr/sbin/userdel -r %u
 add group script = /usr/sbin/groupadd %g
 delete group script = /usr/sbin/groupdel %g
 add user to group script = /usr/sbin/usermod -G %g %u
 #User Profiles and Home directory.
 logon drive = H:
 logon path =
 logon home =
 logon script = netlogon.bat #Login script. Location is defined in [netlogon]
 #Define user mappings. root = Administrator
 #You don't need this if you have created Administrator SMB user.
 username map = /etc/samba/smbusers
 wins support = yes
 passwd program = /usr/bin/passwd %u
 # --- shares ---
[netlogon]
 comment = Domain Logon Service
 path = /home/samba/netlogon
 valid users = %U
 admin users = Administrator
 read only = no
 browseable = no
 write list =@admins
 guest ok = Yes
 #For read only purposes. File is not locked per user.
 locking = no
[homes]
 #If you want to set home directory somwhere other thean the unix home use below path.
 # path = \\otherservername\%U
 volume = %U Home
 comment = Home Folder
 valid users = %S
 read only = No
 browseable = No
 public = no
 create mode = 0750
[printers]
 comment = All Printers
 path = /var/spool/samba
 guest ok = Yes
 printable = Yes
 browseable = No
#These are Optional if you want to use them
[apps]
 comment = Application Files
 path = /apps
 admin users = Administrator
 read only = No
[data]
 comment = Application Files
 path = /data
 admin users = Administrator
 read only = No

This samba file will allow a user to log into samba server. Each user will have its own H drive. Apps,Data folders are shared. TDBSAM database is used for authentication. It will use Local Profiles, which means the users settings are stored on his/her computer.

Shared folder

If you need to quickly add a writable shared folder for anybody. You could add this to your samba config file.

[SHARED]
comment = PMS files
path = /home/lucas/shared
browseable = yes
#printable = no
guest account = guest
guest ok = yes
write ok = yes
force user = lucas
#force group = lucas

test smb.conf

To test smb.conf for proper structure, issue this command.

testparm

Explain smb.conf

smb.conf explained

netbios name - Name by which the Samba server is known on the network. Same as the Windows NT Computer Name. If you don’t specify it, it will default to the server’s hostname.
workgroup - This parameter tells samba which Window NT Domain or

Workgroup it will join. It is equivalent to the Windows NT Domain or Workgroup name.

server string - The description string of the Samba server. It is equivalent to the Windows NT Description field.
security - four possible values: share, user, server, domain
Share - clients need to supply only the password for the resource. This mode of security is the default for the Windows 95 file/print server. It is not recommended for use in UNIX environments, because it violates the UNIX security scheme.
User - the user/password validation is done on the server which is offering the resource. This mode is most widely used.
Server - user/password validation is done on the specified authentication server. This server can be a Windows NT server or another Samba server.
Domain - this security level is basically the same as server security, with the exception that the Samba server becomes a member of a Windows NT domain. In this case the Samba server can also participate in such things as trust relationships
encrypt passwords - If set to yes, Samba uses the encrypted password protocol. It is used in Windows NT (starting with Service Pack 3) and Windows 95/98.
smb passwd file - This tells Samba where encrypted passwords are saved. By default, it will use /etc/smbpasswd.
name resolve order - This parameter specifies how the Samba server resolves NetBIOS names into IP addresses. The preferred value is wins lmhosts bcast.

WINS support

Only one of the parameters (wins support or wins server) can be set at the same time. If

you specify the IP address of WINS server then, wins support must be set to "no".

wins server - With this parameter, you tell Samba which WINS server to use.
wins support - This option tells Samba to act as a WINS server

Share options

admin users - Specify the users who have administrative privileges for the share. When they access the share, they perform all operations as root.
printable - This parameter specifies if the share is a print share. If the share is printable, then it is also writable by default
write list - Specifies the list of people who have write access to the share. If the name begins with @ it means a group name.
writable -This parameter specifies if the share is writable. (yes/no)
read list -List of people who have read access to the share. If the name begins with @ it means a group name.
read only -If this is set to yes, the share is read only.
valid users -This parameter specifies which users can access the share.
create mask -This is used for file creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0744
directory mask -This is used for directory creation to mask against UNIX mask calculated from the DOS mode requested. Default: 0755

Homes

Special share section called [homes] will affect all home folders. You don't need to create one seperate for each user.
When client requests a connection to a file share, existing file shares are scanned. If a match is found, that share is used. If no match is found, the requested share is treated as a username and validated by security. If the name exists and the password is correct, a share with that name is created by cloning the [homes] section.
Home Folder Structure in smb.conf

[homes]
comment = Home Directories
path = %H
valid users = %S
browseable = no
writable = yes
create mode = 0700
directory mode = 0700

%H - Represents the home directory of the user.
%S - Represents the name of the current service which, in the case of home share,

is equal to the username.

Add Shared Folder to Samba

Here is a sample share folder structure.

[share]
 path = /path/to/data
 comment = Data Directory on servername
 read only= yes
 valid users = @users
 write list = manager

This shares the data in a directory as a share. You can access this share by \\servername\share. Only valid users who are part of users group are permited to read this data. The user named manager is allowed to write.

Add Writable share Folder

Following previous procedure. Add this to the smb.conf

[everybody]
comment = Everybody files
path = /path/to/folder
browseable = yes
printable = no
writable = yes
write list = @users

Add Printer to Samba

You need to have printers installed. If you don't have them installed follow directions on ?DebianPrinting.
When done installing printer add these lines and you will be able to print to them.
Add this to your globals

[global]
...
printcap name = cups
printer admin = admin
printing = cups

Add this to the bottom of smb.conf

[printers]
path = /var/lib/samba/printers
create maske = 0600
printable = yes
browseable = no

Now open windows explorer on your client machine and go to \\servername
You should see the printers that you have installed in cups.

More smb.conf

Profiles

There is a choice of methods here
For each user to continue using their existing profile, always using the same machine with its own applications installed

after having created an account for them on the server, simply logon to the server and the existing Windows profile on the local machine will be used (as there won't be one already on the server) and copied over to the server. This is fine if they only ever use the same computer but beware, the profile may have references to software installed only on their machine, so if they want to login from other machines it is probably worth starting over with a fresh profile and setting up each machine exactly the same; see the next method

[We will use the first option for under 50 users in same location]for each user to have their own profile, which they can alter, donated to them efficiently using a single template profile; and that they can roam with from one machine to another; each machine having the same applications installed, or installed on the server

configure a Windows user account on a workstation the way you want it (if you try to create a user account after you've created a machine account for this machine on the Samba server, creating the account on the workstation will fail and elicit a message saying you can't create accounts in that domain. We don't know what this is about but to work around it you can use Users and Passwords' Advanced → Advanced → Users → Action → New User... option (or create the account without the workstation being part of a domain (do so before-hand, or temporarily revert back to a workgroup).
 This will be a 'Restricted User' account.
 This account will be the template user profile. (We use TWEAK - The Windows Environment and Application Konfigurator, available from http://thegoldenear.org/tweak/, to configure the template user account quickly and easily (you only need run the per-user options (including Roaming Computing System specific options, A → P → P)).
 create the template without running any applications, that will be done later; consider where you're going to keep icons for applications by reading the section on applications further on.
 Any applications that require their preferences pre-installing manually (rather than dealing with it themselves) in the Windows profile will want that doing so now (see applications section further on)

Create a profiles folder
Lets change permissions on our profiles folder

mkdir /home/samba
mkdir /home/samba/profiles
chmod 1757 /home/samba/profiles

Let's create an initial template

mkdir /home/samba/profiles/template

In Windows Explorer log into your server by going to \\yourservername

Netlogon

We need to create a netlogon script that will be used to mount extra drives on client machines.
First we need to create a directory for that. Samba folder should exists already

cd /home/samba
ls
mkdir netlogon
chmod 0755 /home/samba/netlogon
cd /home/samba/netlogon

Here is a sample NETLOGON.BAT that we will put into /home/netlogon/NETLOGON.BAT
You will need to create this file on windows because windows will be the one reading it. (We need CR/LF as end of line character)

rem ###########################################
rem logon script
rem version 0.7.0
rem
rem remember this file needs DOS CR/LF to work
rem ###########################################
rem Change Log
rem 0.7.0 13-Dec-2003
rem - added a new system and user TEMP location of e:\%username%\windows and e:\windows
rem - changed 'cooledit' directory name to 'audition' to reflect that program's name change
rem - removed creation of 'powerarchiver' directory as we use 7-Zip exclusively
rem 0.6.5 08-April-2003
rem - renamed 'server' to 'file-server'
rem - removed '/PERSISTANT:YES'
rem -------------------------------------------
net use P: \\file-server\programs
rem (only admins group can write there in our Samba configuration)
rem make mappings to shared areas, i.e.:
rem H: is made by smb.conf
net use S: \\file-server\shared
rem sync the workstation's time to that of the file-server
net time \\file-server /set /yes
rem make connections to any printer(s):
rem net use LPT1:
rem create temporary directories for %USERNAME% on TEMP partition
rem (remove any for applications not used on your system):
if not exist "e:\%username%" md "e:\%username%"
if not exist "e:\%username%\winnt" md "e:\%username%\winnt"
if not exist "e:\%username%\windows" md "e:\%username%\windows"
rem ('winnt' remains for backwards compatibility. we changed to 'windows' on 12 Dec 03 / TWEAK 0.8.32)
if not exist "e:\%username%\ie" md "e:\%username%\ie"
if not exist "e:\%username%\ie\Temporary Internet Files" md "e:\%username%\ie\Temporary Internet Files"
if not exist "e:\%username%\mozilla" md "e:\%username%\mozilla"
if not exist "e:\%username%\java" md "e:\%username%\java"
if not exist "e:\%username%\nero" md "e:\%username%\nero"
if not exist "e:\%username%\audacity" md "e:\%username%\audacity"
if not exist "e:\%username%\audition" md "e:\%username%\audition"
:EOF

Now allow users to read that file

chmod a+r /home/samba/netlogon/NETLOGON.BAT

Update hosts file on computers

Add this script to your logonscript.bat. Replace "MYPDC" with your domain computer name.

copy \\MYPDC\netlogon\hosts %systemroot%\system32\drivers\etc\hosts

smb.conf

Here is a final smb.conf that you can just paste into your smb.conf file.
YOU will need to change the workgroup name, hosts allowed/deny ip address,

netbios name

Before you start, lets make a copy of smb.conf

cp /etc/samba/smb.conf /etc/samba/smb.conf-original

Now clear the old file and paste this in.

# Smb.conf, samba domain controller
# Replacing windows nt domain controller
# Need to change workgroup, netbios name, allowed host allow/deny
[global]
 #Domain name
 workgroup = domainname
 #The Server Name
 netbios name = domainserver
 #server string = Samba
 #Time server, Workstations will set their time by this server
 time server =yes
 passdb backend = tdbsam
 #SECURITY AND LOGIN SETTINGS
 #This must be a user in PDC
 security = user
 #Allow connection from specified addresses 10.1.1.*
 #Change it to your ip network, example: 192.168.0.
 #hosts allow = 127.0.0.1 10.1.1.
 #Deny others
 #hosts deny 0.0.0.0/0
 #Only allow connection through network card
 #interfaces =eth* lo
 #bind interfaces only = yes
 #Windows XP/2000
 encrypt passwords = yes
 #Login in settings.
 domain logons = Yes
 #Error Logs, Comment it out when you in production.
 log level = 5
 #PDC and MASTER BROWSER SETTINGS
 #os level = 64 #Windows for master PDC. Highers windows can get is 32
 preferred master = yes
 #preferred master = auto
 local master = yes
 domain master = yes ;This defines it as the Primary Domain Controller
 #Add delete users on linux and samba (keeps linux and samba accounts in sync)
 add user script = /usr/sbin/useradd -m %u
 add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u
 delete user script = /usr/sbin/userdel -r %u
 add group script = /usr/sbin/groupadd %g
 delete group script = /usr/sbin/groupdel %g
 add user to group script = /usr/sbin/usermod -G %g %u
 #User Profiles and Home directory.
 logon path = \\%L\profiles\%U
 logon home = \\%L\%U
 logon script = netlogon.bat #Login script. Location is defined in [netlogon]
 #Define user mappings between this system and windows system.
 #Without this you get ask for password.
 #You don't need this if you have created SMB user here.
 username map = /etc/samba/smbusers
 wins support = yes
 admin users = root
 #Keep the case in file/directory names.Matching is done without regard to case.
 #It allows transition from non-case system (windows) to case system(unix)
 preserve case = yes
 short preserve case = yes
 case sensitive = no
 #Sync Unix passwords from windows workstation using PAM
 #Allow users to change their password
 unix password sync = yes
 #pam password change = yes
 #Optimized of samba for increased speed
 #SO_KEEPALIVE -sends a probe every 4 hours to check that a connection is still active
 #TCP_NODELAY
 #IPTOS_LOWDELAY
 #SO_SNDBUF=14596 -14596 is roughly the best in most circumstances,
 # it may be optimized better for your system.
 #SO_RCVBUF = 14596
 socket options =TCP_NODELAY,IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596
 #lpq command = %p
 #name resolve order = wins bcast hosts
 #passwd chat debug = Yes
 #idmap gid = 15000-20000
 #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n
 #lprm command =
 passwd program = /usr/bin/passwd %u
 #print command =
 #printing = cups
 #idmap uid = 15000-20000
 #printcap name = CUPS
 #null passwords = yes
 # --- shares ---
[netlogon]
 comment = Domain Logon Service
 path = /home/samba/netlogon
 valid users = %U
 admin users = Administrator
 read only = no
 browseable = no
 write list =@admins
 guest ok = Yes
 #For read only purposes. File is not locked per user.
 locking = No
[profiles]
comment = Network PRofiles Share
path = /home/samba/profiles
browseable = yes
guest ok = yes
writeable = yes
read only = no
profile acls = yes
csc policy = disable
create mode = 0600
directory mode = 0700
[homes]
 #If you want to set home directory somwhere other thean the unix home use below path.
 # path =
 volume = %U Home
 comment = Home Folder
 valid users = %S
 read only = No
 browseable = No
 public = no
 create mode = 0750
[printers]
 comment = All Printers
 path = /var/spool/samba
 guest ok = Yes
 printable = Yes
 browseable = No
#These are Optional
[apps]
 comment = Application Files
 path = /apps
 admin users = Administrator
 read only = No
[data]
 comment = Application Files
 path = /data
 admin users = Administrator
 read only = No

Samba Status

What is available

To see what services are available on samba use this command
If no password is set, hit enter to login anonymously.

smbclient -L servername

You should see something like:

Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]
 Sharename Type Comment
 --------- ---- -------
 IPC$ IPC IPC Service (Samba 3.0.24)
 Dept1-HP-P3005N Printer Dept1
Anonymous login successful
Domain=[mydomainname] OS=[Unix] Server=[Samba 3.0.24]
 Server Comment
 --------- -------
 DOMAINSERVER Samba 3.0.24
 Workgroup Master
 --------- -------
 DEBIAN
 MSHOME NTSERVERNAME
 mydomainname DOMAINSERVER

User management

Manage users

*Ther are two tools to manage users. We will use the second one because it gives us more control.

smbpasswd
pdbedit

smbpasswd:

add user or machine accounts.
delete user or machine accounts.
enable user or machine accounts.
disable user or machine accounts.
set to NULL user passwords.
manage interdomain trust accounts.

pdbedit:

add, remove, or modify user accounts.
list user accounts.
migrate user accounts.
migrate group accounts.
manage account policies.
manage domain access policy settings.

pdbedit

Find the details on user:

pdbedit -Lv username

Or to see all users:

pdbedit -Lv |less

space to view next page. q to quit

Add user

Two options.

smbpasswd: Add username to debian linux account and samba account.

adduser 'username'
smbpasswd -a 'username'

Add user with pdbedit. Unix account need to exist already:

pdbedit -a username

Delete user

Delete samba account:

pdbedit -x username

Change account

Change user account information

pdbedit -r --fullname="First Last name" username

Reset password expiration for account

pdbedit -z username

Account flag, disable

Available flags

D Account is disabled.
H A home directory is required.
I An inter-domain trust account.
L Account has been auto-locked.
M An MNS (Microsoft network service) logon account.
N Password not required.
S A server trust account.
T Temporary duplicate account entry.
U A normal user account.
W A workstation trust account.
X Password does not expire.

To change a flag do this:

pdbedit -r -c "[DLX]" username

To reset to default:

pdbedit -r -c "[]" username

Default account settings

Acount policies must be set individually on each PDC and BDC.
See what is the default now.

pdbedit -P ?

Change a default:

pdbedit -P "min password length" -C 8

Replace "min password length" with other options you saw in pdbedut -P ?

Unix passwords to samba passwords

cat /etc/passwd | /usr/sbin/mksmbpasswd > /etc/samba.d/smbpasswd

Change password backend

This will migrate passwords from smbpasswd to tdbsam

pdbedit -i smbpasswd -e tdbsam

Make sure your remove smbpasswd from smb.cof

passdb backend = tdbsam:/etc/samba/passdb.tdb

You should be done. Your user should be able to log into your domain.

Administrator

The Administrator user is a member of the Administrators group, and thus inherits dministrators group privileges. When an MS Windows NT4/200x/XP machine is made a domain member, the "Domain Admins" group of the PDC is added to the local Administrators group of the workstation. Every member of the Domain Admins group inherits the rights of the local Administrators group when logging on the workstation.
The following steps describe how to make Samba PDC users members of the Domain Admins group.
Create a UNIX group (usually in /etc/group); let's call it domainadmin.

addgroup domainadmin

Add to this group the users that must be "Administrators". For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:

domainadmin:x:502:joe,john,mary

Map this domadm group to the "Domain Admins" group by executing the command:

root# net groupmap add ntgroup="Domain Admins" unixgroup=domainadmin rid=512 type=d

Now joe, john, and mary are domain administrators.

Add unix group to samba

It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as to make any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC:

root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d

Be aware that the RID parameter is an unsigned 32-bit integer that should normally start at 1000. However, this RID must not overlap with any RID assigned to a user. Verification for this is done differently depending on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you.

Migrate NT4 domain to Samba

We start from a begining.
Clean up or delete the passdb.tdb. Located: /var/lib/samba/passdb.tdb

Clean up NT4 Domain

Clean up the NT domain. Make sure all groups are lowercase, delete any accounts that you don't want to transfer.

smb.conf

Add this to replace smb.conf
Replace [domainname], netbios name, wins server ip address. If you don't have wins server. Comment it out.

[global]
 workgroup = [domainname]
 netbios name = SAMBASERVER
 passdb backend = tdbsam
 domain master = No
 domain logons = Yes
 os level = 33
 add user script = /usr/sbin/useradd -m '%u'
 delete user script = /usr/sbin/userdel -r '%u'
 add group script = /usr/sbin/groupadd '%g'
 delete group script = /usr/sbin/groupdel '%g'
 add user to group script = /usr/sbin/usermod -G '%g' '%u'
 add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
 wins server = [IP of wins server]

Restart Samba

/etc/init.d/samba restart

Test your settings in smb.conf. You should see no errors.

testparm

Join the samba BDC to NT domain

Replace with proper names

net rpc join -S [NT netbios name or IP] -U Administrator

Replace domaincomputername or user ip address instead.

net rpc join -S domaincomputername -U Administrator

You should see something like.

server:/etc/samba# net rpc join -S domaincomputername -U Administrator
Password:
Joined domain LIABILITY.

Migrate User Accounts

We will user a script to migrate the user accounts

net rpc vampire -S [NT netbios name or IP] -W [domainname] -U Administrator

So in my case it would be:

net rpc vampire -S domaincomputername -W xyzdomain -U Administrator

You should see something like:

Fetching DOMAIN database
Creating unix group: 'Domain Admins'
Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Claims'
Creating unix group: 'Accounting'
Creating account: Administrator
Creating account: Guest
...
Creating unix group: 'Administrators'
Creating unix group: 'Backup Operators'
Creating unix group: 'Guests'
Creating unix group: 'Print Operators'
Creating unix group: 'Replicator'
Creating unix group: 'Server Operators'
Creating unix group: 'Users'

Double check your users have created. Use this command.

pdbedit -L

Shutdown your old domain. You might need it later so don't distroy it just yet.
Edit smb.conf and change or add these two things.

domain master = yes wins support = yes}

Now restart Samba

/etc/init.d/samba restart

Now Login with your client workstation.

Webmin

Install Webmin

Install Administrative webfronted app
http://www.webmin.com/deb.html
Install prerequisites

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

Download the deb file.
Check for newer version on the website.

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.350_all.deb

Install downloaded file

dpkg --install webmin_1.350_all.deb

Performance

windows max tcp/ip speed windows speed

The problem is in the old tcp/ip setting in windows. Back in the beging windows had a small tcp window size and it never changed. By adding the following to the registry you can increase it to something more apropriate for 100M nic's

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"GlobalMaxTcpWindowsSize"=dword:00020148
"TcpWindowsSize"=dword:00020148
"Tcp1323Opts"=dword:00000003

This help me no end with my backups. Increased network thru put by a factor of 30. So give it ago.

http://rdweb.cns.vt.edu/public/notes/win2k-tcpip.htm will explain it a bit more.

windows 7 and samba issues

If you discover that speed of copying file from (to) shared folder is too slow set up socket options in global section to TCP_NODELAY and then restart samba. smb.conf

 socket options = TCP_NODELAY

restart samba

# /etc/init.d/samba reload

To restart samba you have to be root or have privileges to manage samba. In case this way doesn't help and your speed is too low (in my case it takes 20 hours to copy 800 Mb file form shared folder) install ethtool and switch off autoneg in the apropriate network adapter.

aptitude install ethtool
ethtool -s eth1 speed 100 full duplex autoneg off

In my situation it helps... i hope it will be useful for you too...

External samba

time

The relationship of "net time" and a real ntp server seems to be a one
time sync only anyway. However, you can have the PC really use ntp:
:: setup ntp client
:: need to be an admin - one time setup
sc stop w32time
w32tm /unregister
w32tm /register
net time /setsntp:ntpd-server
sc config w32time start= auto
sc start w32time
w32tm /resync
w32tm /stripchart /computer:ntpd-server /samples:1
Could instead use a real Policy or manually jam it into the registry:
:: setup ntp client
:: need to be an admin - one time setup
reg add HKLM\SOFTWARE\Policies\microsoft\w32time /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v NtpServer
/d ntpd-server /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\Parameters /v Type /d
NTP /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v Enabled /t REG_DWORD /d 0x1 /f
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v CrossSiteSyncFlags /t REG_DWORD /d 0x2
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v ResolvePeerBackoffMinutes /t REG_DWORD /d 0xf
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v ResolvePeerBackoffMaxTimes /t REG_DWORD /d 0x7
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v SpecialPollInterval /t REG_DWORD /d 0xe10
reg add HKLM\SOFTWARE\Policies\microsoft\w32time\TimeProviders\NtpClient
/v EventLogFlags /t REG_DWORD /d 0x0
gpudate /target:computer /force

* These might be usefull as well

"How to configure an authoritative time server in Windows XP:
Configuring the Windows Time service to use an external time source"
http://support.microsoft.com/kb/314054/EN-US/#EXTERNAL
or http://support.microsoft.com/kb/314054/EN-US

References

Based on:

CategoryNetwork | CategorySoftware | CategoryObsolete | ToDo: review/refactor, merge to Samba/DcWithLdapBackend

Samba DomainController

Install Samba

Status

Quick: Connect to samba share

Quick: Mount Shared Folder

Quick: Enable Writable Share Folder

Quick: Ping netbios names from linux

Print Server

Install CUPS

Add Printers

Enable samba Printer sharing

Upload Printer Drivers to Samba

Configure Samba for Domain

Root user

Routs

pre-configuration

Add users

netlogon.bat

simple working smb.conf

Shared folder

test smb.conf

Explain smb.conf

smb.conf explained

WINS support

Share options

Homes

Add Shared Folder to Samba

Add Writable share Folder

Add Printer to Samba

More smb.conf

Profiles

Netlogon

Update hosts file on computers

smb.conf

Samba Status

What is available

User management

Manage users

pdbedit

Add user

Delete user

Change account

Reset password expiration for account

Account flag, disable

Default account settings

Unix passwords to samba passwords

Change password backend

Administrator

Add unix group to samba

Migrate NT4 domain to Samba

Clean up NT4 Domain

smb.conf

Join the samba BDC to NT domain

Migrate User Accounts

Webmin

Install Webmin

Performance

windows max tcp/ip speed windows speed

windows 7 and samba issues

External samba

time

References

Samba
DomainController