How to configure Samba 3 as Primary Domain Controller

If you are working in a corporate sector then you must have noticed that most of the IT companies are using Active Directory on Windows Server for centralized authentication of all the employees or users but now Linux has introduced Samba3 which can be used to provide the same functionality and features without paying anything from your pocket.

But Samba3 lacks some of the features of Active Directory so recently Samba4 has been launched by Samba which can used to configure Active directory Domain controller on the Linux machine and can be controlled using client software on any of the windows machine consisting of all the features of Active Directory. I won't be able to explain the feature of all the command for that you can take help of "GOOGLE" but I will try my level best from my side to explain all the required commands.

You can just follow the steps which I am going to post here and if you face any problem regarding the same kindly revert back with your error.

NOTE: Kindly take a backup copy of all the original configuration files you are going to use in this tutorial.

This is the scenario we are going to configure

Server: CentOS 6
IP Address: 10.10.10.100
users : user1, user2

Client: Windows XP

IP Address: 10.10.10.90
machine name : machine1

First of all make sure all the required packages are installed in your system and if not you can install them using "yum"

# rpm -qa | grep samba
samba-3.5.10-116.el6_2.i686
samba-common-3.5.10-116.el6_2.i686
samba-winbind-clients-3.5.10-116.el6_2.i686
samba-client-3.5.10-116.el6_2.i686

and if the package is missing

# yum -y install samba

open up the configuration file and you can copy the same file as i have posted:

# vi /etc/samba/smb.conf
[Global]
workgroup = EXAMPLE
#corresponds to domain name
local master = yes
preferred master = yes
domain master = yes
domain logons = yes
security = user
passdb backend = tdbsam
logon path = \\%L\Profiles\%U
logon script = logon.bat
add machine script = /usr/sbin/useradd -d /dev/null -g 200 -s /sbin/nologin -M %u

[homes]
browseable = yes
writable = yes

[netlogon]
path = /home/netlogon
writable = no
browseable = no

[Profiles]
path = /home/profiles
createmask = 0755
directory mask = 0755
writable = yes

The line domain master = yes causes Samba to be the domain master browser, which handles browsing services for the domain across multiple subnets if necessary. Although it looks very similar, local master = yes does not cause Samba to be the master browser on the subnet, but merely tells it to participate in browser elections and allow itself to win. The next two lines ensure that Samba wins the elections.Setting the preferred master parameter makes Samba force an election when it starts up.

The line, domain logons = yes, is what tells Samba we want this server to handle domain logons.

Defining a logon path is necessary for supporting roaming profiles. The UNC \\%L\profiles\%u refers to a share held on the samba server where the profiles are kept. The variables %L and %u are replaced by samba with the name of the server and the username of the logged on user respectively.
The logon script = logon.bat line specifies the name of an MS-DOS batch file that will be executed when the client logs on to the domain. The path specified here is relative to the [netlogon] share that is defined later in the smb.conf file.
For further knowledge on the above used syntax in the smb.conf file kindly refer to this website

Samba as Primary Domain Controller

Now we need to create the shares with proper permissions which we have mentioned in the smb.conf file

# mkdir -m 1777 /home/profiles 
# mkdir -m 1777 /home/netlogon
# groupadd -g 200 machine

Since we have used a "add machine script" in our conf file as you can see above, we don't need to create any user for the machine of the client as it will automatically create one evrytime we login to domain connected client machine. But if you don't use that script then you can do the same manually

(optional)

# useradd -d /dev/null -s /sbin/nologin -g 200 machine1$

When the computer account is created, two things must happen on the samba server. An entry is added to the smbpasswd file, with "username" that is the NetBIOS name of the computer with a $ sign appended to it. This part is handled by the smbpasswd command and you do not need to perform any additional action to it.

# smbpasswd -m -a machine1$

Now its time to create the user whom we want to login to the domain

# useradd user1
# useradd user2

# smbpasswd -a root
# smbpasswd -a user1
# smbpasswd -a user2

# service smb restart
# service nmb restart

Check your firewall settings as in my case I have disabled my firewall and selinux.

Client side configuration:

Open your windows XP machine and make sure the machine is in network with the server. Login to the computer as Administrator or another user in the Administrators group. Right click on the "My Computer" icon and click on prperties then go to "Computer Name" tab and click on "change".

Now change your domain settings from workgroup to "EXAMPLE" and hit "OK". it will prompt for the username and password of the server and then you should get a message "Welcome to EXAMPLE" domain. restart your machine and try to login next time using user1 which you created on the server.If you are not able to connect your machine using the above steps kindly do let me know so that I can dig further and help you out.

NOTE: You might have to perform some registry related changes in order to add your Windows 7 machine to Samba 3

Error:

The following error occurred attempting to join the domain „.....“:



The specified domain either does not exist or could not be contacted.

Solution:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001

"DNSNameResolutionRequired"=dword:00000000

After sucessfully joining the domain you might get an error like below

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".

The error was:



The specified domain either does not exist or could not be contacted

You can safely ignore this message or to silent the error pop up download and install the below hotfix from Microsoft
You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain

Related Articles
Samba 4 as Active Directory configuration guide
Samba 4.1 as Active Directory configuration guide
Changing password for Administrator in Samba4
Configure NTP server for Samba4
Samba4 related commands
Create Roaming Profiles in Samba4

Follow the below links for more tutorials:

Tutorial for Monitoring Tools SAR and KSAR with examples in Linux

How to configure Samba 4 Secondary Domain Controller
How to secure Apache web server in Linux using password (.htaccess)
How to register Red Hat Linux with RHN (Red Hat Network )
Red hat Enterprise Linux 5.5 Installation Guide (Screenshots)
15 tips to enhance security of your Linux machine
Why is Linux more secure than windows and any other OS
What is the difference between "su" and "su -" in Linux?
How to log iptables messages in different log file
What are the s and k scripts in the etc rcx.d directories

What is the difference between DNS A record and CNAME record?

5 comments:

suriya karthik24 Sep 2013, 19:18:00
thank you ver much .. i was sucessfully create a domain controller.......
Md.Monarul Islam29 Sep 2016, 22:13:00
Nice post but today I apply plese help me about how to auto add in network place and easy access my samba share file.
enam haque24 Nov 2016, 12:04:00
enam

without hotfix any solution...?