How to set up Samba as a Primary Domain Controller

A domain controller is a server which groups multiple computers to centralize their authentication system. When you are using a domain controller, you don't login to your computer, but instead login to the domain controller. Every authentication request is handled by the Primary Domain Controller (PDC).

Usually you hear about PDC using a Windows based server. In this tutorial, I'll describe how to set up a PDC using Samba, which is based on Linux.

There are four main steps for setting up Samba as a PDC:

  • Install Samba
  • Configure /etc/samba/smb.conf
  • Add domain users
  • Register all Windows computers with Samba PDC.

1. Samba Installation

If you are using a Debian based Linux, run the following command on the terminal window to install Samba:

$ sudo apt-get install samba
$ sudo apt-get install samba-common
$ sudo apt-get install samba-common-bin

If you are using a Red Hat based Linux, you may use rpm or yum package manager to install Samba.

2. Samba Configuration

The main configuration of Samba server is found in /etc/samba/smb.conf. For a PDC server, there are three part of the file which you need to configure: global, netlogon, and homes.

Before you start modifying the configuration file, I suggest you back up the existing Samba configuration file.

$ sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.old

Configuring [global] parameters

	workgroup = sambadomain 
	netbios name = sambapdc 
	server string = Samba PDC 
	domain master = yes 
	preferred master = yes 
	domain logons = yes 
	add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u 
	security = user 
	encrypt passwords = yes 
	wins support = yes 
	name resolve order = wins lmhosts hosts bcast 

	logon path = \\%N\%U\profile 
	logon drive = H: 
	logon home = \\%N\%U

Change the names of the workgroup and the PDC according to your environment, so that they correspond to the actual values in your network. If you have another Wins server on your network, remove "wins support = yes", because having more than one causes a problem. "wins support = yes" means Samba acting as a Netbios server.

Creating LMHOSTS file

Don't forget to register your domain IP address to the LMHOSTS file. The LMHOSTS file is a mapper between the IP address of the domain controller and Netbios name. When you add a Windows computer to the SAMBADOMAIN, Windows tries to find the PDC's IP address. If Windows fails to find the PDC's IP address, then you won't be able to register a computer with the PDC.

The LMHOSTS file should be created and placed in /etc/samba/lmhosts. The content of LMHOSTS file is similar to /etc/resolv.conf file, except that you need to register the Netbios name instead of the host name. For example, if your PDC has an IP address with sambadomain as workgroup name, and sambapdc as the Netbios name, the content of the lmhosts file should look like the following: sambadomain sambapdc

After creating /etc/samba/lmhosts, re-run the nmbd daemon as follows:

$ sudo nmbd -H /etc/samba/lmhosts -D

Configuring [netlogon] parameters

	path = /var/lib/samba/netlogon 
	browseable = no 
	read only = no 
	create mask = 0700 
	directory mask = 0700 
	valid users = %S 

/var/lib/samba/netlogon is a startup directory for PDC logon. When users login to the Samba PDC, a script called netlogon.bat in the directory will be executed.

$ sudo mkdir -m 0755 /var/lib/samba/netlogon

For example, if you want to automatically mount a network drive from the PDC, Create the following netlogon.bat script in /var/lib/samba/netlogon

## Samba Logon Script
net use x: \\sambapdc\share

Configuring [homes] parameters

This is a configuration file for PDC user's home directory.

	valid users = %S 
	guest ok = yes 
   	read only = yes 

Testing the configuration file

After saving all configuration files, test your configuration with the following command:

$ sudo testparm

If there is any syntax error detected, fix it and restart Samba.

3. Adding Domain Users

Adding admin user and group for the PDC

In Linux, admin user is the root user. So you need to run the following command to add the root user as the Samba admin:

$ sudo smbpasswd root

You should not use the same password as the Linux root user.

Create a machines group

The next step is to create a group called "machines".

$ sudo groupadd -g machines

Samba will automatically add users to this group, as long as you configure "add machine script" correctly in [global] section in /etc/samba/smb.conf.

Create a Linux Account for PDC login

You need to create a user on PDC for domain login. In this example, I will create an account that disables Linux login. So every access to the PDC must be done via Samba.

For example, creating user "dan":

$ sudo smbpasswd -a dan

Enter the same password twice.

You need to activate the user with the following command:

$ sudo smbpasswd -e dan

Grant user "dan" to login to the PDC:

$ sudo net rpc rights grant "SAMBADOMAIN\dan" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
$ sudo net groupmap add ntgroup="Administrator" unixgroup=root rid=512 type=d

4. Register Windows Computers with the Samba PDC

Under Windows computer properties, change the domain name to sambadomain. Reboot your Windows PC, and try to login with SAMBADOMAIN/dan. If you successfully login, then your Samba PDC is ready.

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

5 thoughts on “How to set up Samba as a Primary Domain Controller

  1. "Please change the workgroup name (which is the name of the PDC) to your own workgroup name"
    This sentence is very bad and should be corrected, so the people don't get confused. The WORKGROUP is a workgroup (an organizational structure) and the PDC is a computer. Don't mix these up. It should state: "Change the names of the workgroup and the PDC according to your wish,so that they correspond to the actual values in your network" or something like that.


  2. Great/simple tutorial!

    * Need to remove the default "server role" line completely from smb.conf or it will provision as a standalone server.
    * Probably best to put netlogon folder user /srv/samba instead.
    * Since my install was new I added "sudo passwd root" to add a password to root at the UNIX level.
    * It's probably worth mentioning that the "net rpc rights" command wants the SMB version of the root password rather than the UNIX version.
    * It was necessary to first add this "dan" user at the UNIX level with "sudo adduser dan".
    * It helps to restart after everything "sudo shutdown -r now".
    * The workstation didn't seem to find the PDC for this new domain. I added an entry to its lmhosts file: " sambapdc #PRE #DOM:sambadomain". Not sure if the server is broadcasting or if my WINS setup needs tweaking.
    * From what I understand, Windows NETBIOS domain names need to be ALLCAPS and something like 14 characters or less.

Leave a comment

Your email address will not be published. Required fields are marked *