Hardcore Linux

Anything about Ubuntu, Centos, openSuSe and Fedora

SAMBA PDC on Centos 5.5

This guide will help to install and configure a SAMBA Windows File Server that acts as a PDC using tbsam, Although it is suggested to have it configured with LDAP authtentication backend, many small office still cater this kind of configuration.

Here’s the details:

1. Install the Samba File Server and necessary packages.

#> yum groupinstall "Windows File Server"

2. Prepare the necessary directories needed for netlogon.

#> mkdir -p /home/samba/netlogon

3. For new users to have a directory called profile in their home directory, add a folder called “profiles” in the /etc/skel. For existing users, just add the folder “profiles” to their home directories and change the ownership to their corresponding owners.

4. Backup the existing /etc/samba/smb.conf file first before using the configuration below:

 #Server Declaration
 workgroup = MYDOMAIN
 netbios name = FILESERVER001
 server string = File Server  %v

 #Security Properties
 security = user
 domain master = yes
 preferred master = yes
 local master = yes
 domain logons = yes
 wins support = yes
 os level = 65
 name resolve order = wins bcast hosts

 #Login Configurations
 logon path = \\%L\%U\profiles
 logon drive = H:
 logon home = \\%L\%U
 logon script = logon.bat

 #User Scripts
 add group script = /usr/sbin/groupadd '%g'
 delete group script = /usr/sbin/groupdel '%g'
 add user to group script = /usr/sbin/usermod -a -G '%g' '%u'
 delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
 add user script = /usr/sbin/useradd -m -G users '%u'
 add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
 delete user script = /usr/sbin/userdel -r '%u'
 idmap uid = 1000 - 20000
 idmap gid = 1000 - 20000

 passdb backend = tdbsam:/etc/samba/passdb.tdb
 passwd program = /usr/bin/passwd '%u'
 passwd chat = "*Enter\snew\sUnix\spassword:*" %n\n "*retype\snew\sUnix\spassword:" %n\n. "*updated successfuly*"
 passwd chat debug = yes
 encrypt passwords = yes
 unix password sync = yes
 enable privileges = yes
 username map = /etc/samba/smbusers

 # Log File
 log file = /var/log/samba/%m.log
 log level = 3
 max log size = 50

 #Other Configurations
 printing = cups
 printcap name = cups
 show add printer wizard = No

#============================ Share Definitions ==============================

 path = /home/samba/netlogon
 admin users = root
 guest ok = yes
 browsable = no
 valid users = %U
 read only = no
 admin users = Administrator

 path = /home/%U/profiles
 create mode = 0600
 directory mode = 0700
 profile acls = Yes
 read only = No

 comment = Home Directories
 browseable = no
 writeable = yes
 valid users = %S
 create mode = 777
 directory mode = 777

 comment = All Printers
 path = /var/spool/samba
 browseable = no
 guest ok = no
 writable = no
 printable = yes

5. Modify the /etc/nsswitch.conf, your hosts line should look like this:

hosts:  files wins dns

6. Modify the /etc/samba/smbusers, the root usermap should look like this:

root = administrator Administrator admin

7.  Link SAMBA and Linux user groups, from root access, execute the following commands:

#>  net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d 
#>  net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
#>  net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d

After each commands, the system should response with the following message.

Successfully added group Domain ... to the mapping db as a domain group

8. To additional groups, perform the following:

#> groupadd <linux group>
#> net groupmap add ntgroup="<windows group>" unixgroup=<linux group> type=d

Note: the rid value should be the succeeding number of the previously entered value.

9.  Add root to the samba users, to be used in domain authentication on windows workstations.

#> smbpasswd -a root
#> smbpasswd -e root

10. Check your configurations and verify that you have entered the correct settings.

#> testparm

11.Restart the samba service, also start the winbind service it not yet running.

#> service smb restart
#> service winbind start

12. Test the Administrator access first

#> smbclient -L localhost -U
   enter the root password

12. To add new users, you can use the basic commands:

#> useradd -m -G users <username>
#> passwd <username>
#> smbpasswd -a <username>

Also note that new users and groups should be in range from 1000 to 20000, else modify the idmap declarations in /etc/samba/smb.conf.

13. Restart the samba service again, and check of the new user will be authenticated when accessing the samba shares.

$> smbclient -L localhost -U <username>
enter the <username's> password

14. Configure the windows workstation and join them to your new samba file server using the details below:

Domainname: MYDOMAIN
Administrator Account: Administrator
Password: <your root password>

15. Done.

3 responses to “SAMBA PDC on Centos 5.5

  1. Pol April 25, 2011 at 2:00 pm

    wow.. finalmente ho trovato un howto che funziona! Se potessi ti offrirei da bere, grazie!!!

    samba come controller è tutto una novità, per questo ti domando: il fatto che da win unito dominio mi dia errore nella creazione del nuovo utente:

    “Impossibile aggiungere l’utente MYDOMAIN\test10 perchè l’untente MYDOMAIN\test10 non esiste”

    significa che per forza devo aggiungere utenti dal server samba e non posso dall’os unito al dominio?


    PS: ultima cosa🙂 come setto i vari profili di restrizioni?

    Tipo: come posso evitare che l’utente disabiliti l’antivirus? Anche settando “utente con restrizioni”, l’utente può disattivare l’antivirus😦

    grazie 1000🙂


  2. Puran Prajapati June 26, 2012 at 10:16 pm

    Nice post .. thanks.. everything working fine but problem in change password..when user going to change password it give me error “You do not have permission to change your password”


    Puran Prajapati

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: