building a Primary Domain Controller (PDC) with Samba 3.x on FreeBSD 6.x
Jan 3, 2010

Domains are primarily useful for providing users with a "single sign on" - the ability to securely use multiple servers, while only entering one password. If your network only has a single server, you won't need to use domains. However, if you have more than a single server, domains can be useful, to avoid having to authenticate separately against each server, and to simplify account management.

If you only have one server, but you'd still like to secure the resources made available by that server, consider using password-protected shares ("user-level" security) instead of domains. Domains are only useful with two or more servers. Note that this article creates a PDC, not a member server. See building a member server to do that. Note also that Samba cannot be a Win2k-style AD controller, it can only be an NT4-style PDC. If all that's needed is something to authenticate against, an NT4-style PDC is fine.

Samba can obtain authentication information (eg. user passwords) from a number of different locations, including LDAP, tdbsam, and smbpasswd. smbpasswd is Samba's original authentication mechanism, however it is now supported only for "legacy" reasons. LDAP is suited to large networks with existing directory services. There are pros and cons for each, see the docs. This article assumes use of tdbsam.

The configuration below creates a shared volume on the PDC, and a home directory for each user, which only they can access. You may wish to disable one or both of these (it's possible to run Samba purely as an authentication server if desired). A logon script is also defined - again, disable if not required.

Other pertinent design factors:

See also: troubleshooting Samba

  1. Install and configure samba:

    1. cd /usr/ports/net/samba3
    2. make install clean (this requires a live internet connection, and takes a while)
    3. from Samba's install options, select at least: SYSLOG, UTMP, PAM_SMBPASS, POPT, PCH (and CUPS if you want to use the PDC as a printserver)
    4. cd /usr/local/etc
    5. cp smb.conf.default smb.conf
    6. chmod 644 smb.conf
    7. vi /usr/local/etc/smb.conf
    8. delete everything
    9. paste something like the below, altering it to suit your environment:
      # smb.conf - PDC
      
      [global]
      workgroup = TESTDOM
      server string = Samba Server [PDC]
      security = user
      passdb backend = tdbsam
      hosts deny = ALL
      hosts allow = 192.168.1., 127.
      log level = 1
      log file = /var/log/samba/log.%m
      max log size = 300
      domain logons = Yes
      domain master = Yes
      ### preferred master should be set to NO if there is another preferred master on the same subnet
      preferred master = Yes
      os level = 255
      ### WINS should be set to NO if a WINS server is already on the network
      wins support = yes
      dns proxy = no
      name resolve order = lmhosts host wins bcast
      hide dot files = yes
      logon script = logon.bat
      logon path =
      logon home =
      encrypt passwords = yes
      lm announce = no
      lanman auth = no
      min protocol = NT1
      
      [netlogon]
      comment = Network Logon Service
      path = /usr/local/lib/samba/netlogon
      locking = No
      
      [homes]
      comment = Home Directory
      read only = No
      browseable = No
      valid users = %S
      
      [x-drive]
      comment = Test Share
      path = /data/smbspace
      valid users = root @staff
      read only = No
      create mask = 0660
      directory mask = 0771
      
    10. save the changes and exit the editor

  2. Create a unix group to contain your Samba users, if needed:
    pw groupadd staff
    

    Note: this uses the FreeBSD-specific pw command (docs: manpage)

  3. Create the netlogon directory, and allocate permissions to it:
    mkdir /usr/local/lib/samba/netlogon
    chgrp staff /usr/local/lib/samba/netlogon
    chmod 750 /usr/local/lib/samba/netlogon
    
  4. Create the share directory, and set group ownership and permissions (if needed):
    mkdir /data
    mkdir /data/smbspace
    chgrp staff /data/smbspace
    chmod 770 /data/smbspace
    
  5. Configure /etc/rc.conf to enable Samba on boot:
    echo samba_enable=\"YES\" >> /etc/rc.conf
    
  6. Reboot

    A reboot is recommended here. This will put the Samba binaries into the path, and verify that Samba starts automatically. Don't forget to log back in as root before continuing.

  7. Create root user in Samba:
    smbpasswd -a root
    
  8. Create a unix group to contain the machine accounts:
    pw groupadd machines
    
  9. For each workstation, create a machine account in /etc/passwd:
    pw useradd -g machines -n MACHINENAME\$ -s /sbin/nologin -c "machine account"
    

    Note: on FreeBSD, the \ MUST preceed the $ sign. The $ denotes a machine account, however pw does not permit $ signs in accountnames, unless they are escaped with \.

  10. For each workstation, create a machine account in Samba:
    smbpasswd -a -m MACHINENAME
    

    Note: do not include the $ sign here, it is automatically added.

  11. For each user, create a user account in /etc/passwd:
    pw useradd -n USERNAME -s /sbin/nologin -c "User Name" -g staff -m
    

    Unless otherwise desired, the unix user account should be set to "nologin". This does not prevent users from accessing the share, but it does stop them logging in with telnet, etc. Note that -c is the comment field, this is used by XP to put at the top of the start menu, eg. "Test User". Also note that no password is defined for the unix user account, that's OK as the account is set to "nologin". Lastly, note that the -m tells pw to create the user's home directory - if you're not creating home directories, remove it.

  12. For each user, create a user account in Samba:
    smbpasswd -a testuser
    

    The users must exist on the system already (eg. a unix user account must exist for each Samba user). The SMB password can be different to the unix user account password (if defined).

  13. Map Windows groups to unix groups:
    net groupmap add ntgroup="Domain Admins" unixgroup=wheel rid=512 type=domain
    net groupmap add ntgroup="Domain Users" unixgroup=staff rid=513 type=domain
    net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=domain
    
  14. Configure each workstation:

  15. To install a login script, make it on a Windows machine (the file must be CR/LF terminated), copy it to the server, then (assuming it ended up in /data/smbspace):
    mv /data/smbspace/logon.bat /usr/local/lib/samba/netlogon
    chgrp staff /usr/local/lib/samba/netlogon/logon.bat
    chmod 640 /usr/local/lib/samba/netlogon/logon.bat
    

    The login script must be group-owned by the samba user group. Docs: manpage

Notes: