Configuring Samba as a Windows NT Primary Domain Controller
One of the most important developments over the past two years for GNU/Linux in the enterpise is the increased capabilites of the Samba server package. Samba not only allows GNU/Linux systems and Windows systems to share devices seamlessly, but it can also enable a GNU/Linux system to act as a Primary Domain Controller for a Windows network, something previously reserved for Windows NT server platforms only. Delivering this capability on the stable GNU/Linux platform has made it much easier for large companies to quietly adopt GNU/Linux in the enterprise.
By building into Samba 2.2.x the capacity for a GNU/Linux server to function as a Microsoft Windows NT Primary Domain Controller (PDC), the Samba developers have pushed GNU/Linux into direct competition with Windows NT/2000. In this article, we'll show you how to set up Samba on your GNU/Linux system as a PDC.
· Extensive knowledge of Windows networking
· Familiarity with Samba configuration
· Familiarity with Linux and Windows security issues
· Admin rights over all systems on your network
In our demonstration, we'll take a look at a small network configuration with an NT 4.0 workstation, several Microsoft Windows 98/ME machines and one GNU/Linux server using Samba as a Microsoft Windows NT PDC. This configuration can be broken down into three parts: the configuration of the Samba PDC server, the creating of accounts, and then joining the new domain. First, we'll take a look at configuring the Samba server.
The configuration of the Samba PDC server
When configuring Samba to act as an NT Primary Domain Controller, you'll need to make extensive edits to your smb.conf file. First, let's look at the changes you'll make to the global settings for the server.
To start, open smb.conf in your favorite text editor and begin at the top of the file. The following is a commented listing of the global settings you'll need for creating your PDC. Some of the default settings have been pruned out, so don't be alarmed if you don't see a setting from your default smb.conf file. You might want to open another terminal window at this point and view the smb.conf man pages for references.
# workgroup = Your NT-Domain-Name
workgroup = DEMODOMAIN
#Your PDC identifying comment
server string = Samba/NT PDC
#Your netbios name
netbios name = JERRY
These first three settings establish the PDC server name and the domain it will control. The server string isn't mandatory, but can be helpful in identifying the PDC on the network.
#User-level security is standard for a PDC
security = user
#Encrypted passwords are mandatory
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
These three settings above are mandatory for configuring your PDC. The smbpasswd file should be located in the same directory on your server as the smb.conf file. In this case, the directory specified was created when the RPM Samba package was installed on a Red Hat Linux system. Domain logon users will have user ids in both the /etc/passwd and smbpasswd files. To enable users to change their passwords and keep both the Linux password (/etc/password) and the Samba passwords (smbpasswd) in sync, use the following settings:
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
Obviously, this is an admin control issue. If you need tight security on your PDC and don't want users to be able to change their passwords, then you can leave these settings out. They're only for the end user's convenience. These four settings are also mandatory as they establish the Samba server as your PDC.
# set these to act as the domain and local browser
preferred master = yes
domain master = yes
local master = yes
os level = 64
These settings determine the priority level of your Samba PDC. The os level setting determines the numerical preference level of the server for Domain elections that are forced by the preferred master setting. By default, the os level should be set to 64 for configuring a PDC. As you can see, these settings will make the server "JERRY" the "master of its domain".
Configuring the server logons for Windows clients
The next group of settings will configure the server to accept network/domain logons for Microsoft Windows clients.
#This one is obvious, and mandatory
domain logons = yes
#You can use 3 different methods for user logon scripts
#You can identify the logon by the name of the user's machine
logon script = %m.bat
#You can identify the logon by the username
logon script = %U.bat
#Or you can have a single common logon script for users
logon script = logon.cmd
You'll notice that you can choose three different ways to identify a user logon. But, you can only use one of the three methods at any given time. In the settings we've just listed, we've configured the PDC with a generic user logon script. When you use this setting, the location of the logon script is in the share you'll create for net logons. Next, we'll discuss the mandatory shares you'll create for your Samba PDC next.
Defining Your Shares
Aside from your network devices that will be shared on your network, you will need to define shares that are specific to your PDC configuration. If you decide to use a generic logon script for all of your domain users, you'll need to create the following share:
path = /etc/samba/netlogon
writeable = no
write list = ntadmin
The path to this share is where your common user logon script that we defined earlier as logon.cmd will exist. Read/write permissions to this share are set for users on the ntadmin list only. We'll explain the write list in the next section on setting up your user accounts on the PDC. You'll need to define one more share for user profiles, and then you're finished with your smb.conf edits.
The profiles share for your PDC is a separate device created for storing user profiles. The path on the server can be anywhere; we suggest you create a new subdirectory on a file system other than your boot file system. This will allow you to recover user profiles in the case of a boot file system crash. In the following share definition, we've set up the profiles share on the /usr filesystem:
path = /usr/smb/ntprofile
writeable = yes
create mask = 0600
directory mask = 0700
Creating machine trust accounts on your PDC
On a Microsoft Windows NT PDC, machine trust accounts are user accounts owned by a single computer. The machine trust account password is a shared secret that allows for secure communication with the domain controller. Under Microsoft Windows NT, these trusted account passwords are stored in the registry. On a Samba PDC under Linux, these passwords are stored in the same location as your smbpasswd file.
Editor's note: Understanding Microsoft Windows NT security schemes is not absolutely necessary at this point, but a basic grasp of these concepts will help. Machine trust passwords shouldn't be confused with user ids and logons. They are machine identifiers for an NT Domain Controller that identify trusted domain machines to the PDC. Unknown to many network administrators, Microsoft Windows 9x machines, which can only use LanMan type passwords, are not true members of a domain. This is because NT, which uses NT password hashes, doesn't recognize LanMan passwords as trusted. Remember this when you need a tidbit to astound your friends at your next party...
You can create trusted machine accounts on your Samba PDC two ways. The first method is to create manually the password with a known value (such as the lower case netbios name of the machine) before you join the machine to the domain. The other method creates the trusted machine account when the admin joins the machine to the domain. This second method uses the session key of the administrative account as an encryption key for setting the password to a random value. The second method is much more secure than the first method, and is recommended. Currently, Samba requires a Linux user id from which a Microsoft Windows NT system id can be generated. For this reason, you'll need to add a configuration line to your smb.conf file if you want your Samba PDC to add Linux user ids on the fly when users access the server from a trusted machine. In your global settings of the smb.conf file, add the setting:
add user script = /usr/sbin/useradd -d /dev/null -g 100 - /bin/false -M %u
The path shown as /usr/sbin/useradd should point to wherever your system stores the useradd program. This setting as shown will work on most GNU/Linux systems.
To manually add a trusted machine account, you must first create an entry in your /etc/passwd file. For example, let's say you're adding the machine "elaine" manually to your domain. Using your favorite text editor as root, open your /etc/password file and create an entry that looks like this:
The appended "$" to the user "Elaine" in the /etc/passwd entry signifies this as a machine account. The rest of the settings establish the account without a home directory and no shell access. Once you've created this entry, add the user to your smbpasswd file with the following command run as the superuser root:
smbpasswd -s -m elaine
You should then immediately join the machine to the domain with your NT Admin applet.
Samba is an incredibly powerful server software package that extends GNU/Linux machines and their functionality to the enterprise. In this article, we've demonstrated the configuration of Samba on GNU/Linux as a Microsoft Windows NT Primary Domain Controller.