Setup Samba As Primary Domain Controller


Setup SAMBA as Primary Domain Cotroller

When configuring
Samba to act as an NT Primary Domain Controller, we’ll need to make
extensive edits to our smb.conf file. To start, open
/etc/samba/smb.conf in your favorite text editor and begin at the top
of the file. The following is a sample configuration file for SAMBA as
Primary Domain Controller(PDC).

??????????? [root@LinuxServer tmp]#cat /etc/samba/smb.conf
??????????? [global]
??????????? workgroup = ROBOTICS
??????????? server string = Samba/NT PDC
??????????? netbios name = LinuxServer
??????????? security = user
??????????? encrypt passwords =yes
??????????? smb passwd file = /etc/samba/smbpasswd
??????????? unix password sync = yes
??????????? password program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn?????? *Retype*new*Unix*Passowrd %nn???? *passwd:*all*authenctication*tokens*updated*successufully
preferred master = yes
domain master = yes
local master = yes
os level = 64
domain logons = yes
add user script = /usr/bin/useradd –d /dev/null –g 100 –s /bin/false –M %u
comment = Home Directories of users
invalid users = root,sys,uucp
writable = yes
browseable = no
path = /etc/samba/netlogon
guest ok = yes
browseable = no
share modes = no
write list = administrator

  • Creating machine trust accounts on your PDC

a Microsoft Windows NT PDC, machine trust accounts are user accounts
owned by a single computer. The machines trust account password is a
shared secret that allows for secure communication with the domain
controller. Under Microsoft Windows NT, these trusted account passwords
are stored in the registry. On a Samba PDC under Linux, these passwords
are stored in the same location as your smbpasswd file.

You can create trusted machine accounts on your Samba PDC two ways.

The first method is to create manually the password with a known value
(such as the lower case netbios name of the machine) before you join
the machine to the domain. For example, let’s say we’re adding the
machine “robopc1” manually to our domain. Using text editor as root,
open /etc/password file and create an entry that looks like this:

The appended “$” to the user “robopc1” in the /etc/passwd
entry signifies this as a machine account. The rest of the settings
establish the account without a home directory and no shell access.
Once you’ve created this entry, add the user to your /etc/samba/smbpasswd file with the following command run as the superuser root:
[root@LinuxServer tmp]# smbpasswd -a? -s -m robopc1
New Unix Password : ******
Retype New Unix Password : ******
passwd: all authenctication tokens updated successufully

The other method creates the trusted machine account when the admin
joins the machine to the domain. This second method uses the session
key of the administrative account as an encryption key for setting the
password to a random value. In your global settings of the /etc/samba/smb.conf file, add the setting:

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u


You should then immediately join the machine to the domain with your NT Admin applet.


  • Start smb service.

[root@LinuxServer tmp]# /etc/init.d/smb start
Starting SMB services: [OK]
Starting NMB services: [OK]

Leave a Reply

Your email address will not be published. Required fields are marked *