Pick a Free OS

Samba NT Domain Controller


# The domain you want to be a PDC for

workgroup = SIMPLE



# Tell Samba to use domain logons

domain logons = yes



# User-level security. Users must 

# authenticate themselves with

# valid username and password

security = user



# Set to yes so that nmbd participates 

# in local master browser

# elections

local master = yes 



# Set Os level value to make sure nmbd 

# wins local browse master 

# elections. 65 should beat everyone 

# according to the man page

os level = 65



# Give nmbd an advantage in local 

# master browser elections

preferred master = yes



# Set so that nmbd claims a unique 

# NetBIOS name identifying it as 

# a domain master

domain master = yes



# The following share is required to support

# domain logons. The directory may be 

# created anywhere on your system. Make 

# sure the share is non-writeable and also

# not a public share.

[netlogon]

comment = The domain logon service

path = /usr/local/samba/netlogon

public = no

writeable = no

The next thing to do is create the users on the Samba server that is to act as the domain controller. You can do this using the useradd command.

useradd –-g smbuser –-d /dev/null –-s /dev/null ntuser

As you can see, both shell and home directory for ntuser is set to /dev/null. If your Windows users are not required to access the Unix box, you should use the above to deny access to the machine. Passwords are also not required to be set because Samba keeps the password hash in a separate file specified in the configuration file.


# Path to Samba password file

# Make sure only root has read/write access

smb passwd file = /usr/local/samba/smbpasswd

After adding a user (you can also use vipw to add a user), you need to add the user to the samba password database.

“smbpasswd –a” will add all users in Unix passwd file to smbpasswd file. The usage and syntax is similar to the Unix passwd command. To change a users’ password use “smbpasswd username”.

That will be enough for Samba to start authenticating Windows 9X clients. For NT workstations, some more work is to be done. You have to create a machine account for each NT client that will logon. A machine account is simply a regular /etc/passwd entry, with a “$” appended to the name of the NT machine.

useradd –-g smbuser -–d /dev/null -–s /dev/null ntclient$

Now add it to the password database

smbpasswd –a –m ntclient (the $ at the end is not required)

Samba can now accept logons from a NT client.