Daniel Fišer, <d@niel.fiser.cz>
Damir Horvat, <damir@x-si.org>
v0.1, 2001-07-05
This mini-HOWTO explains setting up samba 2.2.0 as Win PDC and adding Windows NT/2000 machines into domain. The mini-HOWTO might also apply to samba 2.0.7 though it was not tested. Version prior to 2.0.7 do not support Win2k domain members.
Content
- Prerequisites
- Basic smb.conf
- Win2k machine accounts
- User accounts
- Domain administrators
- Win2k setup
- Creating shares
Prerequisites
To install SAMBA 2.2.0 you need a Unix machine. I suppose that Unix machine is running and you have root access.
To get samba sources, go to http://samba.org/.
To get RPM packages, go to http://rpmfind.net/linux/rpm2html/search.php?query=samba.
To get Debian packages, browse to http://packages.debian.org/.
To get FreeBSD 4.3 for i386 packages, go to ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.3-release/net/samba-2.2.0.tgz.
Install samba and make sure it's start script is in your rc.d directory and is executable.
back to contentBasic smb.conf
Edit smb.conf configuration (RH: /etc/, FreeBSD: /usr/local/etc/) and make sure you have the following setup:
[global]
netbios name = <your-machine-name>
server string = Samba %v on %L
workgroup = <your-domain-name>
; domain & local master browser
; coz we're dealing with Win2k
os level = 65
prefered master = yes
domain master = yes
local master = yes
domain logons = yes
; misc options
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
time server = yes
; do not show files starting with dots
hide dot files = yes
; Central European code page support
client code page = 852
character set = ISO8859-2
; do not allow guest access, use only local system accounts
security = user
guest ok = no
invalid users = bin deamon sys man postfix mail ftp
admin users = @wheel
; domain administrators
domain admin group = @wheel
domain admin users = root
; use encrypted passwords
encrypt passwords = yes
; logging (max log size is in kB)
log level = 2
log file = /var/log/samba/log.%L
max log size = 1000
debug timestamp = yes
syslog = 1
; user roaming profiles path
logon path = \\%N\profiles\%u
; general logon script (in DOS format)
logon script = logon.bat
Now you have to setup netlogon share and share for roaming profiles. Change the path to your appropriate directories. Don't forget to change list of valid users. I prefer having a special system group called smbusers and restrict access only to them and root.
; share for domain controller
[netlogon]
path = /home/samba/netlogon
public = no
writeable = no
browsable = no
valid users = root @smbusers
; share for storing user profiles
[profiles]
path = /home/samba/profiles
writeable = yes
create mask = 0700
directory mask = 0700
browsable = no
valid users = root @smbusers
back to content
Win2k machine accounts
To allow domain login from machines running Windows NT or Windows 2000, you need to create machine account for every machine. The machine account are special accounts with $ at the end, i.e. machine$.
Since there might be some problems creating them from Windows, it's easier to create them in advance directly on Unix. However, it is possible to set up add user script in smb.conf. See samba documentation for more.
To add machine account, use your system script, most likely adduser. If your system does not support user names with $ (i.e. FreeBSD), you must edit your password database to add it manualy. So on FreeBSD, use vipw.
The system accounts for machines do not need login shell neither home dir, so use false as login shell and /dev/null as home dir.
After adding system accounts, you must use smbpasswd to add Samba machine account. There you can use $ in usernames. So typical command will look like:
$ smbpasswd -a -m <machine-name>$back to content
User accounts
To add user account, simply repeat the above steps for user names. Normaly you would have user names without special characters, so you simply run adduser. Again, use false as shell and /dev/null as user home dir.
To add users to samba, run smbpasswd:
$ smbpasswd -a <user-name>back to content
Domain administrators
The most important part of setup is setting up domain administrators. These are the only samba accounts that can add Windows NT/2000 machines to domain. See smb.conf for more details:
; domain administrators
domain admin group = @wheel
domain admin users = root
Since samba 2.2.0 does not fully support domain admin group parameter, make sure you include domain admin users clause. You must put user root into it - other users are ignored in samba 2.2.0.
Make sure you added user root into smbpasswd file (smbpasswd -a root) and that you do not include root in invalid users clause (see Basic smb.conf).
back to contentWin2k setup
Now you can go around your Windows machines and set them up to be domain members. There should be no problem with Windows 95/98/ME, since they do not need machine accounts - just make sure you use encrypted passwords (see samba documentation for more).
To add Windows NT or 2000 into domain, you must be logged-in as administrator. First you must make sure that your machine NetBIOS name is exactly the same as machine account you have had created on your samba server.
Then go to This computer's properties and select Network Identification tab. Click on the Properties button and select Domain and enter your domain name. Click OK.
You will be prompted for domain admin user name and password - enter root as user name and samba root password (the one you added with smbpasswd -a root). After a while you will see message "Welcome to <your-domain-name> domain".
Now just reboot and try to login into domain as a normal domain user.
back to contentCreating shares
To create samba shares, edit smb.conf. Do not forget to specify allowed users and file and directory masks:
; share for user data
[data]
path = /home/samba/data
writeable = yes
create mode = 0750
directory mode = 0750
valid users = root @smbusers
public = yes
Make sure you restart your samba daemon after editing smb.conf.
back to content