How to Create a PDC on CC using Samba 3 Posted on Sunday, February 15 @ 18:15:22 EST Topic: Samba Articles Samba ArticlesThis is an update to the howto posted by jani in the CC forums. The original article can be referred to here This adds functionality enhancements to that howto as well as updating the rpms used. I will revisit this article at some pint to extend it to a standalone howto for the PDC creation on CC. The settings used in my smb.conf may not suit everyone as it it is optomised for windows 2000 and XP clients. I have also appeared to experience speed increases with this upgrade over both the previous samba 2 binaries and the initial samba3 binaries. Have fun with it and I would appreciate any comments. Get updated rpms for samba 3. (samba-3.0.2-5) There is a later version of samba rpms available for Fedora Core Updates but I have not tried that. These are available from rpmfind but only on the http://fr2.rpmfind.net/ mirror files for easy reference are: samba-3.0.2-5.i386.rpm samba-common-3.0.2-5.i386.rpm samba-client-3.0.2-5.i386.rpm For completeness I have added in the lib packages required as well libacl-2.2.7-2.i386.rpm libattr-2.4.1-2.i386.rpm Group modifications Create a group called localadmins on the CC box. Add your "domain admin" accounts into this group including root. net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Admins" unixgroup=localadmins net groupmap modify ntgroup="Domain Guests" unixgroup=nobody These groups will now be replicated to machines added to the domain. i.e. the Domain Admins group will be added to the local Admins group of the workstations. Remember to assign your unix user accounts to be members of the unix users group if you do not do so already. Updated Samba config This is my samba config with comments. It works for my domain but YMMV # Global parameters [global] ;general name / domain settings workgroup = domain realm = domain.co.uk netbios name = clark server string =Fileserver ;domain server settings domain logons = Yes domain master = Yes preferred master = yes os level = 60 logon script = logon.bat logon path = %Lprofiles%U ;other Domain server settings encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd passwd program = /usr/bin/passwd %u unix password sync = Yes pam password change = Yes ;custom domain security settings min passwd length = 5 map acl inherit = yes null passwords = no utmp = yes add user to group script = /usr/sbin/adduser %u %g delete user from group script = /usr/sbin/deluser %u %g add machine script = /usr/sbin/useradd -d /dev/null -g 501 -s /bin/false -M %u ;security settings interfaces = 192.168.1.0/24 bind interfaces only = Yes ;log file settings max log size = 1000 ;logs all machine connections in a separate file log file = /var/log/samba/%m.log ;generally accepted good performance socket options socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY wins support = Yes name resolve order = wins lmhosts bcast disable netbios = yes use client driver = Yes time server = yes preserve case = yes strict locking = no ;Winbind settings - not 100% sure on them yet winbind cache time = 10 template homedir = /home/%D/%U template shell = /bin/bash winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes ; ;Below here are the share mappings ;You will notice that some non user shares are mounted under the samba ;directory under home. This is good for organisation purporse e.g. backups ;but they could be anywhere ; [printers] path = /tmp printer admin = guest guest ok = Yes printable = Yes printing = cups print command = lpr -r -P%p -o raw %s browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writable = no share modes = no write list = local_admins [profiles] path = /home/samba/profiles profile acls = yes writable = yes browseable = no guest ok = yes [website] comment = Web Site path = /var/www read only = No create mask = 0755 guest ok = Yes [Group] comment = Group Stuff path = /home/samba/group public = no writable = yes printable = no create mask = 0666 directory mask = 0775 # force user = users force group = users hide dot files = yes [homes] comment = Home Directories read only = No browseable = No hide dot files = yes Adding machines to the Domain You must not have a connection to the domain when adding machines e.g. a drive mapping. This is to ensure that the credentials used to add the machine to the domain are the only credentials in use. You can accomplish this by executing the following command from the MS boxes command line, and answering yes to the response: net use * /del Restart Services service smb restart service winbind restart Issues Outstanding or to do * Cannot change passwords from ctrl alt delete dialog [sorted] * automatic add of machines to the domain [sorted] * adding of domain admins to workstation admins group [sorted] * OU support - requires LDAP * extra user profile / account information - requires LDAP * multiple group support - still to investigate the behaviour of secondary groups * might not need winbind at all * migrate smbpasswd file to tdbsam (Trivial Database format) * migrate eventually to LDAP backend * implement Policies using ntconfig.pol * expand on logon script - perhaps using preexec and postexec samba functions Good Links http://ccfaq.valar.co.uk/modules.php?name=Web_Links&l_op=visit&lid=40