El Samba com a controlador de dominis

Although it cannot act as an Active Directory Primary Domain Controller (PDC), a Samba server can be configured to appear as a Windows NT4-style domain controller. A major advantage of this configuration is the ability to centralize user and machine credentials. Samba can also use multiple backends to store the user information.

Primary Domain Controller

This section covers configuring Samba as a Primary Domain Controller (PDC) using the default smbpasswd backend.

  1. First, install Samba, and libpam-smbpass to sync the user accounts, by entering the following in a terminal prompt:

    sudo apt-get install samba libpam-smbpass
  2. Next, configure Samba by editing /etc/samba/smb.conf. The security mode should be set to user, and the workgroup should relate to your organization:

       workgroup = EXEMPLE
       security = user
  3. In the commented Domains section add or uncomment the following:

       domain logons = yes
       logon path = \\%N\%U\profile
       logon drive = H:
       logon home = \\%N\%U
       logon script = logon.cmd
       add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u
    • domain logons: proporciona el servei netlogon, que fa que el Samba actuï com un controlador de domini.

    • logon path: situa el perfil de l'usuari del Windows al seu directori personal. També existeix la possibilitat de configurar un recurs compartit [profiles] que englobi tots els perfils dins d'un directori.

    • logon drive: especifica el camí local del directori de l'usuari.

    • logon home: especifica la ubicació del directori de l'usuari.

    • logon script: determina l'script que s'executarà tan bon punt l'usuari iniciï la sessió. L'script s'ha de col·locar dins del recurs compartit [netlogon].

    • add machine script: a script that will automatically create the Machine Trust Account needed for a workstation to join the domain.

      In this example the machines group will need to be created using the addgroup utility see “Adding and Deleting Users” for details.


    If you wish to not use Roaming Profiles leave the logon home and logon path options commented.

  4. Uncomment the [homes] share to allow the logon home to be mapped:

       comment = Home Directories
       browseable = no
       read only = no
       create mask = 0700
       directory mask = 0700
       valid users = %S
  5. When configured as a domain controller a [netlogon] share needs to be configured. To enable the share, uncomment:

       comment = Network Logon Service
       path = /srv/samba/netlogon
       guest ok = yes
       read only = yes
       share modes = no

    The original netlogon share path is /home/samba/netlogon, but according to the Filesystem Hierarchy Standard (FHS), /srv is the correct location for site-specific data provided by the system.

  6. Now create the netlogon directory, and an empty (for now) logon.cmd script file:

    sudo mkdir -p /srv/samba/netlogon
    sudo touch /srv/samba/netlogon/logon.cmd

    You can enter any normal Windows logon script commands in logon.cmd to customize the client's environment.

  7. With root being disabled by default, in order to join a workstation to the domain, a system group needs to be mapped to the Windows Domain Admins group. Using the net utility, from a terminal enter:

    sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d

    Change sysadmin to whichever group you prefer. Also, the user used to join the domain needs to be a member of the sysadmin group, as well as a member of the system admin group. The admin group allows sudo use.

  8. Finally, restart Samba to enable the new domain controller:

    sudo /etc/init.d/samba restart
  9. You should now be able to join Windows clients to the Domain in the same manner as joining them to an NT4 domain running on a Windows server.

Backup Domain Controller

With a Primary Domain Controller (PDC) on the network it is best to have a Backup Domain Controller (BDC) as well. This will allow clients to authenticate in case the PDC becomes unavailable.

When configuring Samba as a BDC you need a way to sync account information with the PDC. There are multiple ways of accomplishing this scp, rsync, or by using LDAP as the passdb backend.

Using LDAP is the most robust way to sync account information, because both domain controllers can use the same information in real time. However, setting up a LDAP server may be overly complicated for a small number of user and computer accounts. See “Samba and LDAP” for details.

  1. First, install samba and libpam-smbpass. From a terminal enter:

    sudo apt-get install samba libpam-smbpass
  2. Now, edit /etc/samba/smb.conf and uncomment the following in the [global]:

       workgroup = EXEMPLE
       security = user
  3. In the commented Domains uncomment or add:

       domain logons = yes
       domain master = no
  4. Make sure a user has rights to read the files in /var/lib/samba. For example, to allow users in the admin group to scp the files, enter:

    sudo chgrp -R admin /var/lib/samba
  5. Next, sync the user accounts, using scp to copy the /var/lib/samba directory from the PDC:

    sudo scp -r nomusuari@pdc:/var/lib/samba /var/lib

    Replace username with a valid username and pdc with the hostname or IP Address of your actual PDC.

  6. Finally, restart samba:

    sudo /etc/init.d/samba restart

You can test that your Backup Domain controller is working by stopping the Samba daemon on the PDC, then trying to login to a Windows client joined to the domain.

Another thing to keep in mind is if you have configured the logon home option as a directory on the PDC, and the PDC becomes unavailable, access to the user's Home drive will also be unavailable. For this reason it is best to configure the logon home to reside on a separate file server from the PDC and BDC.