NOTE: This is an older article, so the information provided may no longer be accurate.

Wills Notebook: Bare-bones Linux Domain Controller with Samba

Yet another 'quick and dirty' article, this time on how to configure a computer running Arch Linux to be a domain controller for Windows XP Pro, Vista Business and Windows 7 Pro clients. Thanks to God, first and foremost and also to Steve Lacey's blog post about the same subject. (Yes, I just now noticed he's a Google employee, no, I still don't like Google)

Because this setup is for a small company or home server, I don't have a whole lot bells and whistles enabled, and I urge you to further your research on the subject to fill in any gaps I've left.

God loves geeks too!
Why Jesus?

All commands are to be executed as the root user unless otherwise noted. nano will be used for all editing in this article.

In this article, I will refer to our example domain as DOMAIN01 and our example server name as SERVERDC. It is a good idea to use a static IP address on your domain controller, but it will work with DHCP also. If you're trying this out in a virtual machine, be sure to use bridged networking as things work badly with NAT connections.

Installation
Install samba:

pacman -Syu
pacman -S samba

Configuration
Open /etc/rc.conf and add samba to the DAEMONS list:

nano /etc/rc.conf

DAEMONS=(... samba)

Save and exit the file.
- - -
Open your editor and save the following as /etc/samba/smb.conf:

nano /etc/samba/smb.conf
### BEGINNING OF SAMBA CONFIGURATION ###
[global]
  # 'workgroup' will be your domain name
  workgroup = DOMAIN01
  # 'netbios name' will be this server's name on the network
  netbios name = SERVERDC

  os level = 64
  preferred master = Yes
  domain master = Yes
  socket options = TCP_NODELAY
  passdb backend = tdbsam
  printcap name = cups

  add user script = /usr/sbin/useradd -m %u
  delete user script = /usr/sbin/userdel -r %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/groupmod -A %u %g
  delete user from group script = /usr/sbin/groupmod -R %u %g
  add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u

  # Note: The following specifies the default logon script.
  # Per user logon scripts can be specified in the user account using pdbedit
  #logon script = scripts\logon.bat

  # This sets the default profile path. Set per user paths with pdbedit
  domain logons = Yes
  logon path = \\%L\profiles\%U
  logon drive = H:
  logon home = \\%L\home\%U

[homes]
  comment = Home Directories
  valid users = %S
  read only = No
  browseable = No

[netlogon]
  comment = Network Logon Service
  path = /home/samba/netlogon
  admin users = root
  guest ok = No
  browseable = No

[Profiles]
  comment = Roaming Profile Share
  path = /home/samba/profiles
  read only = No
  profile acls = Yes

- - -
Create and set permissions for Samba domain controller directories:

mkdir -p /home/samba/profiles
mkdir /home/samba/netlogon
chown -R nobody:users /home/samba
chmod -R 777 /home/samba

- - -
Restart Samba:

/etc/rc.d/samba restart

- - -
Set root's Samba password:

smbpasswd -a root

- - -
Reboot the computer:

reboot

- - -
Adding standard users to the Samba domain controller
Create a standard user of XP Pro, Vista Business or Win 7 Pro so they can join the DOMAIN01 domain and log into the SERVERDC server.

In this example, we'll add 'will' as a standard user. First we create the profiles directory for 'will', next we create 'will' as a new Linux user, adding 'will' to the 'users' group, then we set the Samba password for 'will':

mkdir -p /home/samba/profiles/will
useradd -g users -d /home/will -s /bin/bash -c "Will Brokenbourgh" will
smbpasswd -a will

- - -
Important note about Windows Vista, 7 and (probably) 8
A registry key change is necessary in Vista, 7 and probably beyond to allow those machines to join a Samba domain.

Enter the text below into a plain text file in Windows and save with the .reg extension. Then double-click the file to merge the information into the registry (or just find the exact key and change it manually):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001

Be sure to reboot the Windows computer after merging the information into the registry.

- - -
"I get an error message when trying to join the domain from the Windows computer"
Most of the time, if you get an error message when trying to join a Samba domain:
  • The username or password you're trying to use is wrong or mis-typed
  • If you previously joined the same domain or another domain, you'll need to leave the domain by joining/creating a workgroup, rebooting, then trying to join the Samba domain again on the Windows client computer
  • You need to use the 'root' user when prompted for a user who has authority to join the computer to a domain
  • The Samba daemon is not running because it wasn't added to the DAEMONS list in the /etc/rc.conf file, or there was a configuration problem in /etc/samba/smb.conf and Samba couldn't start. Be sure to run testparm as root to check the Samba configuration

- - -
"I have Windows XP Home or Windows 7 Home Premium but can't figure out how to join a domain!"
You cannot join a domain with Windows XP Home or Windows 7 Home Premium. You must upgrade to Windows XP Professional or Windows 7 Professional in order to join a domain.

- - -
Update 1: Reformatted the smb.conf contents slightly, added the socket options = TCP_NODELAY line, changed the os level value and added the info about XP Home/Win 7 Home

 

Post A Comment

Your name:

Your e-mail address: (Will not be seen or used by anyone else but me)

To help cut down on spam, what do you get when you add two and four?:

Please type your message below: (Please limit message to less than 1,000 characters)

 

My Story   |   Business site   |   TGIF2   |   JWM   |   Openbox   |   Autism