Configure Linux Samba Server as a Primary Domain Controller

We can use Samba as a Primary Domain Controller and can add windows machines in that domain. Following is step-by-step guide to configure Samba as a PDC.

Step 1 : Configure Samba as PDC ( Primary Domain Controller ) and allow samba to act as a Domain Controller

To allow Samba to act as a Primary Domain Controller, we need to set certain options in smb.conf file. Open /etc/samba/smb.conf file and under  [global] section, set options as mentioned below.

==================================================

[global]

workgroup = smb      ###Give your desired netbios domain name here e.g. TESTDOMAIN or ABC (without ".com " ) ###

netbios name = eildap    ### This will be netbios name of your samba server  ###

server string = Samba PDC Server   ### You can set your own description here ###

security = user 

encrypt passwords = yes

hosts allow = 127. 192.168. 172.16.   ### List down all networks which you want to allow to access samba services ###

log file = /var/log/samba/%m.log    ### To enable machine specific log  for troubleshooting  ###

max log size = 50   ### To keep log size limited to 50 KB ###

local master = yes

os level = 65

domain master = yes

preferred master = yes

domain logons = yes   ### This option will actually enables samba to be a PDC and will act as a domain controller ###

wins support = yes   ### WINS Support - Tells the NMBD component of Samba to enable it's WINS Server ###

username map = /etc/samba/smbusers

==================================================

Comment out all other options in [global] section if enabled and keep only above mentioned options.

Restart samba service by command /etc/init.d/smb restart

Step 2 : Set /etc/hosts file to resolve names properly

Open /etc/hosts file and make sure you have entries for hostname and samba domain name so that it can resolve names properly without any issue.

Step 3 : Set samba password for root so that we can join computer in domain with this username

From Linux Terminal type the following command to set the samba password for user root

[root@testdomain local]# smabpasswd -a root ### This will enable  samba account for user root which we will use to join windows xp computer in domain###

Step 4 : Add computer account on samba server

When we add windows machcine to any Active Directory domain, machine account gets created automatically in  OU called Computers in Active Directory, But  here in Samba we must add machine account manually on samba server before attempting to add your windows xp client to samba PDC domain .

For example, If I want to add one windows xp machine named " testclient "  in samba PDC domain, then I will need to execute following commands on samba server  from terminal

[root@testdomain local]# useradd -s /bin/false testclient$   ### Make sure to suffix " $ " with computername ###

[root@testdomain local]# smabpasswd -a -m testclient$ ### This will add this machine account name in smbpasswd file ###

Step 5 : Configure Windows XP Client to add to Samba PDC domain

• If you are serving IP addresses through DHCP server then , you can configure your dhcp to set WINS Server IP on client machine.

• If you are not running dhcp server and giving static ip to client machine , Go to Control Panel--> Network Connections --> Right click on " Local Area Connection " and click on Properties. It will open network properties.

• Now select "Internet Protocol ( TCP/IP) and click on properties --> click on " Advance " --> click on "WINS" . Now add WINS Server ( IP of Samba PDC Domain Server )  as shown below. Also click " Enable Netbios over TCP/IP "

• To force Windows XP Professional clients to accept Samba as a PDC, we need to use Group Policy Editor. Go to Start--> Run--> Type " gpedit.msc " and press ENTER. It will open group policy console.

• Expand Computer Configuration --> Windows Setting--> Security Settings--> Local Policies--> User Rights Assignments and Make sure to disable the following policies

Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)

Now we are good to go ahead and add this particular windows xp machine in samba pdc domain

Step 6 : Add Windows XP machine in Samba PDC Domain

• Right Click on " My Computer " icon and click on Properties --> Go to "Computer Name " tab --> Click on "Change" button

• Select " Domain " radio button and  type Samba PDC Name which we configured earlier in smb.conf, in this case it is       " SMB " and click on OK , it will prompt you to enter username and password , give username as " root " and password which we configured in Step 3  and click on OK.

• You should then receive welcome message e.g. " Welcome to SMB domain " , click on OK button and restart your computer.

• After restart you should be able to see CTRL + ALT + DEL screen at logon and you should be able to login to domain !!

This way you can use Linux Samba Server to act as Primary Domain Controller and  at some extent we can implement Group Policy to restrict/allow various access to local computer.!!

--

Sumit