This doc is here to describe how to install Samba as a Windows domain controller. For more information about Samba itself, see : SettingUpSamba
Here, I will describe how to make a Windows domain controller with Samba and an Ubuntu Server 6.06. I actually use Samba on my home network with 7 computers and around 4 Windows computers to be able to log on each of them with the same login information and to have the network drives and printers automatically mounted. I won't describe how to install a LDAP server, because I don't use one for a so small domain. Instead I'll just use the standard Samba login database and the Unix accounts. It will include : Samba installation, network shares, printer shares and domain login.
Samba is available in Main so sudo aptitude install samba will install it. It includes two daemon smbd and nmbd and an init script that will load samba when your server start (/etc/init.d/samba), the configurations files are located in /etc/samba/.
Same way as samba : sudo aptitude install cupsys will install it. You may also need to install some extra package to have all the printer drivers you need.
As the default /etc/samba/smb.conf file wasn't done for domain login, I just did my own one from scratch. Here is my own smb.conf file with explanations of what I put and why. Global part (the server settings part)
[global] workgroup = LAN #Your domain name server string = Server #The server description (as Windows call it) netbios name = server #The server name wins support = yes #Turn it to yes if your server will also be a WINS server (a server that converts Netbios name to IP) dns proxy = no #If your server should also act as a DNS proxy server, not useful log file = /var/log/samba.log #I like to have everything in the same logfile (not the default behavior) log level = 1 #The level of details you want in your logs (increase it if you need more information) max log size = 1000 #The maximum size of the log file (in lines ?) syslog = 0 #If you want to also write in the syslog file admin users = root #User or group that will have all rights on the server (They will also create also files as root on the shares) security = user #In a domain environment it's better to have a user based security guest account = nobody #The guest account encrypt passwords = true #If you want the passwords to be encrypted (needed with unix password synchronization) passdb backend = tdbsam #The password backend (as I don't use LDAP, it will be the default samba one) obey pam restrictions = yes invalid users = #If you have to reject some users, if you want the printer share to work, do not deny root unix password sync = yes #Synchronize passwords between Samba and Unix passwd program = /usr/bin/passwd %u #The command used to change the passwords passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . map to guest = Bad Password password level = 0 #Increase it if you have some password problem with some old Windows (95, 98, NT) add user script = /usr/sbin/useradd -m '%u' -g smbusers -G smbusers delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' -g machines #That's the command used to create/delete users, or add/remove them from groups, you can custom them to use your own Unix groups. logon path = logon home = #You can have a server stored Windows profile (c:\Document and Settings\xxxx), but be careful, that can take a lot of place on the server and you need a really fast network. If you don't want it, you have to force these two values to empty (= ) domain logons = Yes #Your server will be able to check logins and make domain logons os level = 64 preferred master = Yes #Your server will be the preferred domain master domain master = Yes #Your server is a domain master logon script = script.bat #The script launched when someone log on a computer connected to your domain, that's an BATCH (DOS) file or a Visual Basic script one. printcap name = cups #Your printing server list of printers printing = cups #Your printing server load printers = yes #Your samba server will act as a printing server socket options = TCP_NODELAY #Increase speed (?) time server = yes #Your server will be a time server (net time \\yourserver /SET /Y)
Network shares part
[print$] #The share that contains the printer drivers comment = drivers path = /var/lib/samba/printers/ browseable = yes guest ok = no read only = yes write list = @admin #A unix group that will have the admin rights on the printers (you can also specify a user) (@ means that's a group) [printers] #The share used by Windows to access your printers comment = Printers browseable = no path = /var/spool/samba printable = yes public = no writable = no guest ok = no printer admin = @admin [netlogon] #The share that contains the logon scripts path = /data/netlogon public = no writeable = no browsable = no valid users = @smbusers #The users allowed to read them (all users allowed to logon the domain)
Now, you need to create : /var/spool/samba, /var/lib/samba/printers and /data/netlogon (or with other names as soon as you also change them in smb.conf) Be careful with the file permissions on these directories.
Know you can write your Windows logon script. Here is mine :
@echo off REM Mounting network drives net use X: /DELETE net use X: %LOGONSERVER%\public net use Y: /DELETE net use Y: %LOGONSERVER%\download net use Z: /DELETE net use Z: %LOGONSERVER%\users\%USERNAME% REM Syncronizing clocks net time %LOGONSERVER% /SET /Y REM Mounting printers %LOGONSERVER%\netlogon\printer.vbs REM Disactivating firewall netsh firewall set opmode disable REM Kill some annoying softwares taskkill /IM qttask.exe
It mounts three network drives, synchronize the time with the server, call a vbs script to mount a printer, disable the Windows firewall (useless in LAN and with a router that act as firewall) and finally kill some annoying softwares like qttask (it came back all the time and is useless at least for me). %LOGONSERVER% is the network path to the logon server (\\server for me). %USERNAME% is the username used to open the session. My printer.vbs file
Set net = CreateObject("WScript.Network") net.AddWindowsPrinterConnection "\\server\laser"
Your samba configuration should now be good.
The Ubuntu's cups package has the webinterface login turned off, then you can't configure your printers with it, which is quite annoying with a server where you don't have the gnome-cups-manager gui. The way to turn it on is the following :
adduser '''yourself''' lpadmin adduser cupsys shadow
It allows Cups to read your /etc/shadow file and then be able to check if the login information is correct. The next problem is that CUPS only allow localhost login on the Webinterface, as you don't have any desktop environment and then no graphical network browser (who wants to set CUPS through the webinterface with lynx ?), you need to allow login from other computers. Just edit the /etc/cups/cupsd.conf (ex. sudo nano /etc/cups/cupsd.conf), and put "Allow all" for /, /admin and /admin/conf sections. Also add "DefautEncryption IfRequested" at the end of the file, to prevent CUPS webadmin to redirect you to a https server that isn't started. You can now restart the CUPS daemon with : /etc/init.d/cups You are now able to work through the CUPS web interface at : http://the-server-ip:631
Now, just add your printers and check if they work.
Now you can start (or restart) both samba and cups daemons.
sudo /etc/init.d/samba start (or restart) sudo /etc/init.d/cups start (or restart)
Both should return a [OK], if that's not the case, check the log files.
Before being able to join a Windows station in your domain, you need to set some Windows<->Linux group relations. For that, use the "net groupmap" command
net groupmap list #Show you the list of the actuals Windows groups and their Linux equivalent net groupmap add #To add a group mapping net groupmap modify #To change a group mapping
The needed group mapping are :
net groupmap add ntgroup="Domain Admins" unixgroup="your-unix-group" net groupmap add ntgroup="Domain Users" unixgroup="your-unix-group"
Add your unix users in the good groups, and then add them to samba with : smbpasswd -a username
Join the domain
As I have a French windows here, the names and options can have a different name on your own Windows. To add a Windows client to your domain, log on an Administrator local session and go in the System proprieties (Windows+Pause shortcut), then go to the Computer name tab (or something like this) and click on the Modify (Edit ?) button, change your computer name (if you want), tick the Domain radiobox and enter your Domain name in the textbox. Validate with OK, and you should have a window asking you for a Domain Administrator account, enter your Samba root login/password and validate. You should see a : "Welcome on domain xyz" box.
Then reboot and you should be able to log on your domain.
I didn't try to add a Linux client to the domain, so I will only explain how to access the network drives and mount a CUPS network printer. To access your server network shares, simply point your nautilus (or konqueror) to : smb://your-server-ip To have your CUPS printers available on your Linux computer, add a new printer, then choose Network Printer and the CUPS IPP type. Put an URI like this one : http://server-ip:631/printers/cups-printer-name (ex. http://172.16.0.3:631/printers/laser)
That's all, I hope this doc helped you to set your Samba domain server, if you have more question, you can find me on irc (irc.freenode.net) as "stgraber" This doc isn't complete, if someone can for example do some screenshots of an English windows, and also explain correctly how to add the printers drivers to samba (I did it, but I can't remember exactly how), feel free to edit this page (that's the goal of a wiki).