smb.conf example for PDC

[Easgs]

Hi, I have read some guides about creating a PDC using samba, so I have created a smb.conf file according my possible needs, I have commented some option that I think are not requiered for most scenarios, these are:

[homes],[users],[profiles] and [groups]

this is the smb.conf file, what do you think?


[global]

workgroup = example
domain logons = yes
domain master = yes
local master = yes
os level = 65
preferred master = yes
security = user
passdb = tdbsam
wins support = yes
add user script = /usr/sbin/useradd –m %u
delete user script = usr/sbin/userdel –r %u
add machine script = /usr/sbin/useradd –c Machine –d /var/lib/nobody –s /bin/false %m$
netbios name = linuxserver
name resolve order = bcast host lmhost wins
server string “”
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw

[netlogon]

comment = network logon service
path = /var/lib/samba/netlogon
write list = root

[printers]

Comment = All printers
Path = /var/tmp
Printable = yes
Create mask = 0600
Browseable = no

[print$]

Comment = printer drivers
Path = /var/lib/samba/drivers
Write list = @ntadmin root
Force group = ntadmin
Create mask = 0664
Directory mask = 0775

[data]

comment = data folder
path = /home/easgs/data
guest ok = no
valid users = user1, user2, user3, @account
create mode = 0660
directory mode = 0770
inherit acls = yes



Thanks.

On Tue May 5 2009 03:06 pm, Easgs wrote:

>
> Hi, I have read some guides about creating a PDC using samba, so I have
> created a smb.conf file according my possible needs, I have commented
> some option that I think are not requiered for most scenarios, these
> are:
>
> [homes],[users],[profiles] and [groups]
>
> this is the smb.conf file, what do you think?
>
>
> [global]
>
> workgroup = example
> domain logons = yes
> domain master = yes
> local master = yes
> os level = 65
> preferred master = yes
> security = user
> passdb = tdbsam
> wins support = yes
> add user script = /usr/sbin/useradd –m %u
> delete user script = usr/sbin/userdel –r %u
> add machine script = /usr/sbin/useradd –c Machine –d /var/lib/nobody –s
> /bin/false %m$
> netbios name = linuxserver
> name resolve order = bcast host lmhost wins
> server string “”
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw

<snip>
>
>
> Thanks.
Easgs;
If you have "wins support = yes", it would be faster to set:

Code:

name resolve order = wins bcast host lmhost

This means that you would try the wins server first.

Be sure to set the IP of your Server in the Wins section of Windows
networking. This insures that the clients register with your Wins server and
use it. This is done on each client with:

Control Panel->Network connections-><your lan>->Properties->Internet
proticol(tcp/IP)->Advanced->Wins

[profiles] is needed for roaming profiles, one big advantage to a domain and
[homes] is always handy because it gives you access to your Linux home
directory.

Be sure to join all machines to the domain including your Linux machine. To
add the Linux machine to it's own domain use:

Code:

net rpc join -Uroot%<root password>

On windows: My computer->properties->Computer Name->change-><choose domain>
You will need to authenticate with your Linux root credentials.

--
P. V.
"We're all in this together, I'm pulling for you." Red Green

[Easgs]

Quote:

[profiles] is needed for roaming profiles, one big advantage to a domain and
[homes] is always handy because it gives you access to your Linux home
directory.

I think that for the moment I won`t use that services, since I want to understand other basic options first.

Quote:

Be sure to join all machines to the domain including your Linux machine. To
add the Linux machine to it's own domain use:

Code:
net rpc join -Uroot%<root password>

Do I need to do that even in the samba PDC?

Reading some about the "add user script = /usr/sbin/useradd -m %u" function, this option adds the UNIX user in the case that there is in use an active directory server and the unix user doesn`t exist in the samba server, samba checks the autentication and if it is sucessfull it creates the user, will this work if we create the user using smbpasswd -a user and it doesn`t exist as a unix user?, note that there is not an active directory server only the samba PDC.


delete user script = usr/sbin/userdel �r %u

will this work if we delete the user in the samba server with smbpasswd -x user?, ?, note that there is not an active directory server only the samba PDC.

On Wed May 6 2009 11:06 am, Easgs wrote:

>
>> [profiles] is needed for roaming profiles, one big advantage to a domain
>> and
>> [homes] is always handy because it gives you access to your Linux home
>> directory.
>
>
> I think that for the moment I won`t use that services, since I want to
> understand other basic options first.
>
>> Be sure to join all machines to the domain including your Linux
>> machine. To
>> add the Linux machine to it's own domain use:
>>
>> Code:
>> net rpc join -Uroot%<root password>
>>
>>
>
> Do I need to do that even in the samba PDC?
There seems to be some debate on this. I recommend adding the PDC to the
domain, it does no harm.

>
> Reading some about the "add user script = /usr/sbin/useradd -m %u"
> function, this option adds the UNIX user in the case that there is in
> use an active directory server and the unix user doesn`t exist in the
> samba server, samba checks the autentication and if it is sucessfull it
> creates the user, will this work if we create the user using smbpasswd
> -a user and it doesn`t exist as a unix user?, note that there is not an
> active directory server only the samba PDC.
No when you add users with smbpasswd you still need a Linux user. This only
works when the user is already in another account data base ( on say a NT or
AD server)

> delete user script = usr/sbin/userdel �r %u
>
> will this work if we delete the user in the samba server with smbpasswd
> -x user?, ?, note that there is not an active directory server only the
> samba PDC.
No, this is used when managing clients with a remote RPC tool.

For the use of these and other parameters in /etc/samba/smb.conf see:

Code:

man smb.conf

You should also map the Windows groups to Linux groups with "net groupmap
add". I find it easier to just do this in a script. The script I run is
below. You should be able to just paste this into a file, make it executable
and run it (as root). The first three are the most important.

Code:

#!/bin/bash
#
#initGrps.sh
#
#Map Windows Domain Groups to Unixgroups
net groupmap add rid=512 unixgroup=root type=d ntgroup="Domain Admins"
net groupmap add rid=513 unixgroup=users type=d ntgroup="Domain Users"
net groupmap add rid=514 unixgroup=nobody type=d ntgroup="Domain Guests"

#Map Windows XP local groups to local UNIX groups
net groupmap add rid=545 unixgroup=users type=l ntgroup="Users"
net groupmap add rid=546 unixgroup=nobody type=l ntgroup="Guests"
net groupmap add rid=547 unixgroup=ntadmin type=l ntgroup="Power Users"

Check your groupmap with:

Code:

su
net groupmap list

--
P. V.
"We're all in this together, I'm pulling for you." Red Green

[Easgs]

ok, I will remove those two options, but this option is mandatory?, add machine script = /usr/sbin/useradd –c Machine –d /var/lib/nobody –s
/bin/false %m$

I have found several examples of the same option and I don`t know wich one to choose.

this is the list:

add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u

add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$

add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines %u

add machine script = /usr/sbin/useradd -d /dev/null -g sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u'

add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u

add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -c "Cuenta de máquina" -M %u

add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'


any suggestion about which one is the more recommended for opensuse 11.x?

thanks

On Wed May 6 2009 04:26 pm, Easgs wrote:

>
> ok, I will remove those two options, but this option is mandatory?, add
> machine script = /usr/sbin/useradd –c Machine –d /var/lib/nobody –s
> /bin/false %m$
This needs a "-" before c,d,s. See "man useradd"
> I have found several examples of the same option and I don`t know wich
> one to choose.
>
> this is the list:
>
> add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
> /dev/null -s /bin/false %u
>
> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
> /bin/false %m$
>
> add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
> machines %u
>
> add machine script = /usr/sbin/useradd -d /dev/null -g sambamachines -c
> 'Samba Machine Account' -s /dev/null -M '%u'
>
> add machine script = /usr/sbin/useradd -s /bin/false/ -d
> /var/lib/nobody %u
>
> add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
> /bin/false -c "Cuenta de máquina" -M %u
>
> add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
>
>
> any suggestion about which one is the more recommended for opensuse
> 11.x?
>
> thanks
>
>
Easgs;

This works for our Suse systems; I suspect that most of the others also work,
but never tested. You should look at "man useradd" for the use of -c,-d,-g,-s.
See: man smb.conf for the use of %u,%m. Note that machine names must with a $.

Code:

add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false '%u'

(note: the above should be one line, it may get wrapped when I transmit)
--
P. V.
"We're all in this together, I'm pulling for you." Red Green

[Easgs]

Quote:

add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false '%u'

I have been reading man pages for both smb.conf and useradd and I have two questions about it

The default for useradd in opensuse are:

GROUP=100
HOME=HOME
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
GROUPS=video,dialout
CREATE_MAIL_SPOOL=no

this means that the add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false '%u' command will create the entry with the machine comment in the password file, will add the new user in the 100 (users) group which is the default and the '%u' will be used to create the machine with the user name, if only root has access rights to join machines to the domain, then all the machines will be created with that name?, where will the machine name take the $ caracter?, I am thinking about adding "-g machines" to the command and create a machines group to add all the pc to that group instead of the users group which is the default.

I read too in the smb.conf man pages the following

Quote:

add machine script (G)

This is the full pathname to a script that will be run by smbd(8) when a machine is added to SambaŽs domain and a Unix account matching the machineŽs name appended with a "$" does not already exist.

This option is very similar to the add user script, and likewise uses the %u substitution for the account name. Do not use the %m substitution.

Default: add machine script =

Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u

so it is not recommended the use of %m which is the opensuse default.

Quote:

%m
the NetBIOS name of the client machine (very useful).

This parameter is not available when Samba listens on port 445, as clients no longer send this information. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section smb ports = 139. This will cause Samba to not listen on port 445 and will permit include functionality to function as it did with Samba 2.x.

Quote:

The following substitutes apply only to some configuration options (only those that are used when a connection has been established):


%u
username of the current service, if any.

On Thu May 7 2009 10:06 am, Easgs wrote:

<snip>
> where will the machine name take the $ caracter?, I am
> thinking about adding "-g machines" to the command and create a machines
> group to add all the pc to that group instead of the users group which
> is the default.
>

Easgs;
For machines %u contains the $, placing quotes around it makes sure that is the
netbios name contains white spaces the full name is used. If you use %m in your
script then it needs to be %m$, %m is just the netbios name with no $. No
problem creating a machine group if you want.
--
P. V.
"We're all in this together, I'm pulling for you." Red Green

[Easgs]

Thanks a lot for your help and time.