BrainOut!
The mumblings of a Christian autistic husband, dad, IT guy and amateur radio operator - Will Brokenbourgh / AF7EC
Wills Notebook: Bare-bones Linux Domain Controller with Samba
Yet another 'quick and dirty' article, this time on how to configure a computer running Arch Linux to be a domain controller for Windows XP Pro, Vista Business and Windows 7 Pro clients. Thanks to God, first and foremost and also to Steve Lacey's blog post about the same subject. (Yes, I just now noticed he's a Google employee, no, I still don't like Google)
Because this setup is for a small company or home server, I don't have a whole lot bells and whistles enabled, and I urge you to further your research on the subject to fill in any gaps I've left.
All commands are to be executed as the root user unless otherwise noted. nano will be used for all editing in this article.
In this article, I will refer to our example domain as DOMAIN01 and
our example server name as SERVERDC. It is a good idea to use a static IP address on
your domain controller, but it will work with DHCP also. If you're trying this out in a virtual
machine, be sure to use bridged networking as things work badly with NAT connections.
Installation
Install samba:
pacman -Syu pacman -S samba
Configuration
Open /etc/rc.conf and add samba to the DAEMONS list:
nano /etc/rc.conf DAEMONS=(... samba)
Save and exit the file.
- - -
Open your editor and save the following as /etc/samba/smb.conf:
nano /etc/samba/smb.conf
### BEGINNING OF SAMBA CONFIGURATION ### [global] # 'workgroup' will be your domain name workgroup = DOMAIN01 # 'netbios name' will be this server's name on the network netbios name = SERVERDC os level = 64 preferred master = Yes domain master = Yes socket options = TCP_NODELAY passdb backend = tdbsam printcap name = cups add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/groupmod -A %u %g delete user from group script = /usr/sbin/groupmod -R %u %g add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u # Note: The following specifies the default logon script. # Per user logon scripts can be specified in the user account using pdbedit #logon script = scripts\logon.bat # This sets the default profile path. Set per user paths with pdbedit domain logons = Yes logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\home\%U [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = root guest ok = No browseable = No [Profiles] comment = Roaming Profile Share path = /home/samba/profiles read only = No profile acls = Yes
- - -
Create and set permissions for Samba domain controller directories:
mkdir -p /home/samba/profiles mkdir /home/samba/netlogon chown -R nobody:users /home/samba chmod -R 777 /home/samba
- - -
Restart Samba:
/etc/rc.d/samba restart
- - -
Set root's Samba password:
smbpasswd -a root
- - -
Reboot the computer:
reboot
- - -
Adding standard users to the Samba domain controller
Create a standard user of XP Pro, Vista Business or Win 7 Pro so they can join the DOMAIN01
domain and log into the SERVERDC server.
In this example, we'll add 'will' as a standard user. First we create the profiles directory for 'will', next we create 'will' as a new Linux user, adding 'will' to the 'users' group, then we set the Samba password for 'will':
mkdir -p /home/samba/profiles/will useradd -g users -d /home/will -s /bin/bash -c "Will Brokenbourgh" will smbpasswd -a will
- - -
Important note about Windows Vista, 7 and (probably) 8
A registry key change is necessary in Vista, 7 and probably beyond to allow those machines to
join a Samba domain.
Enter the text below into a plain text file in Windows and save with the .reg extension.
Then double-click the file to merge the information into the registry (or just
find the exact key and change it manually):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] "DNSNameResolutionRequired"=dword:00000000 "DomainCompatibilityMode"=dword:00000001
Be sure to reboot the Windows computer after merging the information into the registry.
"I get an error message when trying to join the domain from the Windows computer"
Most of the time, if you get an error message when trying to join a Samba domain:
- The username or password you're trying to use is wrong or mis-typed
- If you previously joined the same domain or another domain, you'll need to leave the domain by joining/creating a workgroup, rebooting, then trying to join the Samba domain again on the Windows client computer
- You need to use the 'root' user when prompted for a user who has authority to join the computer to a domain
- The Samba daemon is not running because it wasn't added to the DAEMONS list in the
/etc/rc.conffile, or there was a configuration problem in/etc/samba/smb.confand Samba couldn't start. Be sure to runtestparmas root to check the Samba configuration
- - -
"I have Windows XP Home or Windows 7 Home Premium but can't figure out how to join a domain!"
You cannot join a domain with Windows XP Home or Windows 7 Home Premium. You must upgrade to Windows
XP Professional or Windows 7 Professional in order to join a domain.
- - -
Update 1: Reformatted the smb.conf contents slightly, added the socket options = TCP_NODELAY
line, changed the os level value and added the info about XP Home/Win 7 Home