<<Back to Linux Notebook

Here are my notes for using Samba to make a linux box a member of a Windows NT4 domain. In the domain, the roles of Primary Domain Controller (PDC) and Backup Domain Controller (BDC) are performed by Windows NT4 Servers. The clients in the domain are all Windows XP Professional.

S_Serve plays the role of file server in the domain, is running Debian 3.1 (Sarge), and has the following specs:

• Intel Celeron 500Mhz
• Intel i810 chipset (onboard video and audio)
• 96MB PC100 SDRAM
• 40GB IBM Deskstar EIDE HDD
• Netgear FA310TX 10/100Mb PCI network card
• Netgear GA621 (National Semiconductors 10/100/1000Mb fiber optic network card)

The name of the domain is "Robots", the PDC is named "PDC", and the BDC is "BDC".

The following are the steps that I followed after performing a basic install (no x-window or anything) of Debian 3.1. These instructions assume the reader understands how Windows NT4 domains work, and has access to a domain account that has administrator rights. I would like to thank Brandon, who showed me how most of this stuff works.

1. I wanted a Windows share with the name "users", which shared the /users directory. So, first I needed to become the root user, and then create the directory.
   
   
   su
   cd /
   mkdir users
   
   
2. In my case, I wanted a separate volume mounted at /users. So, I have to edit the fstab so that it'll get mounted automatically in the future
   
   
   nano -w /etc/fstab
   
   Then I added the following line:
   
   
   /dev/hdb6 /users xfs defaults 0 0
   
   
3. Now mount the volume
   
   
   mount /users
   
   
4. Next, make sure the permissions on this new directory are set properly
   
   
   chmod -R 755 /users
   
   Note: I tried initially doing a "chmod -R 744", however that doesn't work, and Windows users can't access the share. Everyone needs executable permissions, so you need to use "chmod -R 755".
   
   
5. Now that's out of the way, so all we have to do is configure Samba. Install the samba package
   
   
   apt-get install samba
   
   You will be asked a series of questions that I answered in the following way:
   workgroup/domain = robots
   encrypted passwords = yes
   modify smb.conf to use WINS settings from DHCP? No
   run samba as a daemon or inetd? daemon
   create samba password database? No
   
   
   
6. Backup the original smb.conf
   
   
   cd /etc/samba
   mv smb.conf smb.conf.original
   
   
7. Create a new smb.conf
   
   
   nano -w smb.conf
   
   And add the following lines:
   #Global parameters
   [global]
   workgroup=ROBOTS
   server string =
   security = DOMAIN
   password server = pdc, bdc
   wins server = 129.22.4.10
   ldap ssl = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template homedir = /users/%U/
   template shell = /bin/bash
   invalid users = root
   admin users = robots\administrator, robots\system
   create mask = 0777
   directory mask = 0777
   map acl inherit = Yes
   [users]
   comment = All the stuff
   path = /users
   read only = No
   
   This file defines a lot of parameters, most of which are self-explanatory. For instance, "password server = pdc, bdc" sets the PDC and BDC as the servers that can authenticate user accounts. The "admin users" defines two Windows Domain accounts that get mapped as root users on this server. And it defines a share called "users", which users are allowed to access.
   
   
8. Now restart the samba services
   
   
   /etc/init.d/samba restart
   
   
9. Add the samba server to the Windows domain
   
   
   net rpc join -S pdc -U administrator
   
   Note: Following the -S, you should enter the hostname of the PDC. Following the -U, you should enter the name of an account that has the rights to add a computer to the domain. After entering this command, you will be prompted for the password for that account. If successful, you should see a message that says something like
   
   
   Joined domain ROBOTS.
   
   
10. Now you'll need winbind so that the authentication can be passed to the domain controllers. Install the winbind package
    
    
    apt-get install winbind
    
    
11. Modify the nsswitch.conf so that winbind gets used by the name service switch
    
    
    nano -w /etc/nsswitch.conf
    
    Then append the first two lines so that they look like the following:
    
    
    passwd: compat winbind
    group: compat winbind
    
    
12. Now test to see whether winbind is working properly
    
    
    getent passwd
    
    This should return a whole bunch of accounts, including all of the Windows domain ones. Assuming that it is working properly, you should be able to use a domain account from another computer and access the "users" Windows share on this samba server.

That's it. Of course, users won't actually be able to write or create anything in that Windows share.

1. A script was written by Brandon to create directories and set the permissions correctly. A profile directory is created in each user's directory to hold their roaming profile contents.
   
   
   nano -w /root/userdirs
   
   The script has the following contents:
   
   
   mkdir /users/$1
   chown root /users/$1
   chgrp staff /users/$1
   chmod 755 /users/$1
   mkdir /users/$1/profile
   chown -R ROBOTS\\$1:ROBOTS\\Domain\ Users /users/$1
   chmod -R 700 /users/$1
   
   
2. Now set the permissions to be executable by root and readable to everyone else
   
   
   chmod 744 /root/userdirs
   
   
3. To create the home directory run the script, followed by their username. For instance, if I wanted to create a user directory for user "tew",
   
   
   /root/userdirs tew