Currently,SambacangobeyondmerelyemulatingWindowssharestoactuallyactingasthePrimaryDomainControllerforyourWindowsnetwork.Ofcourse,SambacanalsobecomeaNTdomainmember.Inthisarticleweshalllookatboththeseoptions.
Thedomainconceptismuchbetterthanthetraditionalworkgroupconcept.OneoftheprimarybenefitsishavingacentralizedpassworddatabaseonthePrimaryDomainController.Onceauthenticated,youcanaccessanyofthesharesinthedomain,withouthavingtore-authenticateyourself.
Ifyou'reunfamiliarwithSamba,thenwe'vegotacoupleofgoodhowto'sthatyoucanreferto.Lookforlinkstothematthebottomofthearticle.
SambaasaNTDomainMember
SambaemulatesaNTworkstationwhenbecomingpartofthedomain.So,thefirstthingyouneedtodoiscreateamachineaccountforyourSambamachineonthedomaincontroller.InNTyouwouldusetheprogramServerManagerforDomainstocreatetheaccount.Oncetheaccountiscreated,allyouneedtoaddarethefollowinglinestoyoursmb.conffileundertheglobalsection.
#YourWorkgrouporDomainthatyouwant
#tologinto
workgroup=FREEOS
#TellSambatotalktodomaincontroller
#forauthentication
security=domain
#Specifytheservertogetauthenticate
#from.Youcanspecifythe
#NetBIOS#namesoftheserversorsimply
#putina"*"heretolet
#Sambafindtheserverthroughbroadcast
passwordserver=PS1PS2
#MakesureSambaisusingencrypted
#passwords
encryptpasswords=yes
NowstoptheSambadaemons
/etc/rc.d/init.d/smbstop
Givethefollowingcommandtojointhe
NTDomain
smbpasswd-jDOMAIN-rDOMAINPDC
DOMAINhereisthedomainthatyouwanttologonto.DOMAINPDCistheprimarydomaincontrollerforthatdomain.Youwillthenseeamessagesaying,揓oineddomainDOMAIN?
NowstartyourSMBandNMBdaemons.
/etc/rc.d/init.d/smbstart
ThatwasallaboutjoininganNTdomain.SettingupSambaasyourPrimaryDomainControllerisnotverydifficult.
SambaasPrimaryDomainController
Addthefollowingtotheglobalsectionofyoursmb.conffile.
#ThedomainyouwanttobeaPDCfor
workgroup=SIMPLE
#TellSambatousedomainlogons
domainlogons=yes
#User-levelsecurity.Usersmust
#authenticatethemselveswith
#validusernameandpassword
security=user
#Settoyessothatnmbdparticipates
#inlocalmasterbrowser
#elections
localmaster=yes
#SetOslevelvaluetomakesurenmbd
#winslocalbrowsemaster
#elections.65shouldbeateveryone
#accordingtothemanpage
oslevel=65
#Givenmbdanadvantageinlocal
#masterbrowserelections
preferredmaster=yes
#Setsothatnmbdclaimsaunique
#NetBIOSnameidentifyingitas
#adomainmaster
domainmaster=yes
#Thefollowingshareisrequiredtosupport
#domainlogons.Thedirectorymaybe
#createdanywhereonyoursystem.Make
#suretheshareisnon-writeableandalso
#notapublicshare.
[netlogon]
comment=Thedomainlogonservice
path=/usr/local/samba/netlogon
public=no
writeable=no
ThenextthingtodoiscreatetheusersontheSambaserverthatistoactasthedomaincontroller.Youcandothisusingtheuseraddcommand.
useradd?gsmbuser?d/dev/null?s/dev/nullntuser
Asyoucansee,bothshellandhomedirectoryforntuserissetto/dev/null.IfyourWindowsusersarenotrequiredtoaccesstheUnixbox,youshouldusetheabovetodenyaccesstothemachine.PasswordsarealsonotrequiredtobesetbecauseSambakeepsthepasswordhashinaseparatefilespecifiedintheconfigurationfile.
#PathtoSambapasswordfile
#Makesureonlyroothasread/writeaccess
smbpasswdfile=/usr/local/samba/smbpasswd
Afteraddingauser(youcanalsousevipwtoaddauser),youneedtoaddtheusertothesambapassworddatabase.
搒mbpasswd朼?willaddallusersinUnixpasswdfiletosmbpasswdfile.TheusageandsyntaxissimilartotheUnixpasswdcommand.Tochangeausers?passworduse搒mbpasswdusername?
ThatwillbeenoughforSambatostartauthenticatingWindows9Xclients.ForNTworkstations,somemoreworkistobedone.YouhavetocreateamachineaccountforeachNTclientthatwilllogon.Amachineaccountissimplyaregular/etc/passwdentry,witha??appendedtothenameoftheNTmachine.
useradd-gsmbuser-杁/dev/null-杝/dev/nullntclient$
Nowaddittothepassworddatabase
smbpasswd朼杕ntclient(the$attheendisnotrequired)
SambacannowacceptlogonsfromaNTclient.
Asyoucansee,configuringsambaasadomaincontrolleranddomainmemberisafairlyeasyjob.Theflipsideisthatsincesambaistheresultofmajoramountsofhackingandreverseengineering,itdoesn'thaveallthefunctionalityofaproperdomaincontroller.Thereisanalternativebranch,SambaTNGthataddsmorefunctionalityinthisarea.