building a member server with Samba 3.x on FreeBSD 6.x
Jan 3, 2010

This procedure creates a "member server" in a Windows Domain. It does NOT create a primary domain controller (PDC). Member servers provide domain users with secure access to network resources, and therefore require authentication, but unlike a PDC, they do not maintain a password database. They hand authentication off to the PDC, and automatically allow authenticated users access. This allows the use of a single password to access network resources on the PDC and on multiple member servers.

If you only have one server, but you'd still like to secure the resources made available by that server, consider using password-protected shares ("user-level" security) instead of domains. Domains are only useful with two or more servers.

The configuration below assumes the PDC is named "emachine", on IP address, and is running an NT4-style domain called TESTDOM. It also assumes the member server is named "array" and is on IP address, and that the member server is to join the TESTDOM domain.

This procedure does not define home directories, a netlogon directory, user profile directories or a login script - these are all handled by the PDC.

Note: the PDC should be built and online before commencing the process below.

Other pertinent design factors:

See also: troubleshooting Samba

  1. ON THE PDC, create a machine account for the member server in /etc/passwd:
    pw useradd -g machines -n array\$ -s /sbin/nologin -c "machine account"

    Note: If the hostname of the member server is then the hostname to use is "array" (without the quotes). Note also, on FreeBSD, the \ MUST preceed the $ sign. The $ denotes a machine account, however pw does not permit $ signs in accountnames, unless they are escaped with \. Note also, the above command uses the group "machines" which, it is assumed, was created when the PDC was built. Lastly, note that this command uses the FreeBSD-specific pw utility (docs: manpage).

    Repeat, this step must be done on the PDC, not the member server!

  2. ON THE PDC, create a machine account for the member server in Samba:
    smbpasswd -a -m array

    Note: do not include the $ sign here, it is automatically added.

    Repeat, this step must be done on the PDC, not the member server!

  3. ON THE PDC, add the member server to the PDC's hosts file:
    echo array >> /etc/hosts

    Substitute the IP address and hostname of your member server here. Placing the member server in /etc/hosts may not strictly be necessary, but it's certainly useful for troubleshooting. You could try skipping this step - if you have name resolution issues, you know where to look first.

    Repeat, this step must be done on the PDC, not the member server!

  4. On the member server, install and configure Samba:

    1. cd /usr/ports/net/samba3
    2. make install clean (this requires a live internet connection, and takes a while)
    3. from Samba's install options, select at least: SYSLOG, UTMP, PAM_SMBPASS, POPT, PCH, WINBIND (and CUPS if you want to use the PDC as a printserver)
    4. cd /usr/local/etc
    5. cp smb.conf.default smb.conf
    6. chmod 644 smb.conf
    7. vi /usr/local/etc/smb.conf
    8. delete everything
    9. paste something like the below, altering it to suit your environment:
      # smb.conf - member server
      workgroup = TESTDOM
      server string = Samba Server [storage]
      security = domain
      password server = emachine
      hosts deny = ALL
      hosts allow = 192.168.1., 127.
      log level = 1
      log file = /var/log/samba/log.%m
      max log size = 300
      domain logons = no
      domain master = no
      preferred master = no
      os level = 20
      wins server = emachine
      dns proxy = no
      name resolve order = lmhosts host wins bcast
      allow trusted domains = no
      winbind enum users = yes
      winbind enum groups = yes
      template shell = /sbin/nologin
      template homedir = /home/%D/%U
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      hide dot files = yes
      logon script = 
      logon path =
      logon home =
      encrypt passwords = yes
      lm announce = no
      lanman auth = no
      min protocol = NT1
      path = /data/smbspace
      read only = no
      valid users = "+TESTDOM\Domain Users" TESTDOM\root
      create mask = 0660
      directory mask = 0771
    10. save the changes and exit the editor

  5. On the member server, add PDC to /etc/hosts (OR, use an IP address in the password server setting in smb.conf):
    echo emachine >> /etc/hosts

    Substitute the IP address and hostname of your PDC here. If, when attempting to connect to the member server, the message appears, "there are currently no logon servers available to service the logon request", check that the member server can resolve the hostname used in the "password server" setting.

  6. On the member server, configure NSS to use Winbind:
    vi /etc/nsswitch.conf

    Set the group and password lines as follows:

    group: files winbind
    passwd: files winbind
  7. On the member server, configure /etc/rc.conf to enable Samba and Winbind on boot:
    echo samba_enable=\"YES\" >> /etc/rc.conf
    echo winbindd_enable=\"YES\" >> /etc/rc.conf
  8. On the member server, join the domain (this must be done BEFORE Samba is started):
    net rpc join -Uroot

    When prompted, enter root's SMB password (eg. the Samba password for the root account on the PDC). The rehash command is used here, to add the freshly-installed Samba binaries to the path.

  9. On the member server, reboot

    A reboot is recommended here. This will verify that Samba and Winbind start automatically. The server should automatically rejoin the domain on startup. Don't forget to log back in as root before continuing.

  10. On the member server, create the share directory, and set group ownership and permissions:
    mkdir /data
    mkdir /data/smbspace
    chgrp "TESTDOM\Domain Users" /data/smbspace
    chmod 770 /data/smbspace

    This must be done AFTER Samba is started (as it uses a domain group).