Creating a Windows Domain with Samba

Linux can use Samba to authenticate against other Samba servers, or against NT4 or even against Windows 2000 in degraded NT4 mode. It is also possible to create authentication chains where a Samba Server is one of many machines in a NIS domain and the Samba server authenticates Win98 computers across to a NIS server.

For a network where the client desktop machines using Windows 95 through to Windows XP it is probably easier to run NIS as the joint authentication scheme throughout the Linux / Unix servers and authenticate the Windows computers against the Samba Server. The Samba Server may also act as the fileserver and provide mapped drives for the Desktop computers.

IBM created a good document on how to create a Primary Domain Controller using Samba on Linux, which I have mirrored here

Scripts may also be used to map drives and printers, a useful page is here, mirrored here.

Ensure that samba-common, samba-client and samba-server packages are installed. During the installation of Red Hat Linux it is called Windows File Server. Please have a good read through the example smb.conf file, the items listed below are the items that are relevant to running a PDC. You should be able to use this smb.conf file almost as is.

There are a number of items that you should specify, I have attached an example file here. The items that you should ensure that you have are as follows:

  • security = user
    This ensures that the clients only use permissions of the domain.
  • encrypt passwords = yes
    Windows clients now use a basic form of encryption for passwords, earlier versions did not.
  • os level = 70
    We have a high OS level to ensure that no other computer (or guest laptop) interrupts our domain.
  • domain master = yes
  • domain logons = yes
    Yes we want domain logons :-)
  • logon script = logon.bat
    There is a sample batch file that has comments to explain what it does.
  • domain admin group = root administrator @root
    These are the accounts that can join computers to the domain.
  • [homes]
    This is useful in that it allows each user to have their own private files on the server. It should also be noted that Windows policy files allow you to use this storage for My Documents.
  • [netlogon]
    This is a hidden share whereall the windows policy files are located.
  • [Profiles]
    Profiles are enabled in the control panel in either passwords or users. This allows bookmarks and other settings to follow the users if they frequently use different computers.