Domains are primarily useful for providing users with a "single sign on" - the ability to securely use multiple servers, while only entering one password. If your network only has a single server, you won't need to use domains. However, if you have more than a single server, domains can be useful, to avoid having to authenticate separately against each server, and to simplify account management.
If you only have one server, but you'd still like to secure the resources made available by that server, consider using password-protected shares ("user-level" security) instead of domains. Domains are only useful with two or more servers. Note that this article creates a PDC, not a member server. See building a member server to do that. Note also that Samba cannot be a Win2k-style AD controller, it can only be an NT4-style PDC. If all that's needed is something to authenticate against, an NT4-style PDC is fine.
Samba can obtain authentication information (eg. user passwords) from a number of different locations, including LDAP, tdbsam, and smbpasswd. smbpasswd is Samba's original authentication mechanism, however it is now supported only for "legacy" reasons. LDAP is suited to large networks with existing directory services. There are pros and cons for each, see the docs. This article assumes use of tdbsam.
The configuration below creates a shared volume on the PDC, and a home directory for each user, which only they can access. You may wish to disable one or both of these (it's possible to run Samba purely as an authentication server if desired). A logon script is also defined - again, disable if not required.
Other pertinent design factors:
See also: troubleshooting Samba
# smb.conf - PDC [global] workgroup = TESTDOM server string = Samba Server [PDC] security = user passdb backend = tdbsam hosts deny = ALL hosts allow = 192.168.1., 127. log level = 1 log file = /var/log/samba/log.%m max log size = 300 domain logons = Yes domain master = Yes ### preferred master should be set to NO if there is another preferred master on the same subnet preferred master = Yes os level = 255 ### WINS should be set to NO if a WINS server is already on the network wins support = yes dns proxy = no name resolve order = lmhosts host wins bcast hide dot files = yes logon script = logon.bat logon path = logon home = encrypt passwords = yes lm announce = no lanman auth = no min protocol = NT1 [netlogon] comment = Network Logon Service path = /usr/local/lib/samba/netlogon locking = No [homes] comment = Home Directory read only = No browseable = No valid users = %S [x-drive] comment = Test Share path = /data/smbspace valid users = root @staff read only = No create mask = 0660 directory mask = 0771
pw groupadd staff
Note: this uses the FreeBSD-specific pw command (docs: manpage)
mkdir /usr/local/lib/samba/netlogon chgrp staff /usr/local/lib/samba/netlogon chmod 750 /usr/local/lib/samba/netlogon
mkdir /data mkdir /data/smbspace chgrp staff /data/smbspace chmod 770 /data/smbspace
echo samba_enable=\"YES\" >> /etc/rc.conf
A reboot is recommended here. This will put the Samba binaries into the path, and verify that Samba starts automatically. Don't forget to log back in as root before continuing.
smbpasswd -a root
pw groupadd machines
pw useradd -g machines -n MACHINENAME\$ -s /sbin/nologin -c "machine account"
Note: on FreeBSD, the \ MUST preceed the $ sign. The $ denotes a machine account, however pw does not permit $ signs in accountnames, unless they are escaped with \.
smbpasswd -a -m MACHINENAME
Note: do not include the $ sign here, it is automatically added.
pw useradd -n USERNAME -s /sbin/nologin -c "User Name" -g staff -m
Unless otherwise desired, the unix user account should be set to "nologin". This does not prevent users from accessing the share, but it does stop them logging in with telnet, etc. Note that -c is the comment field, this is used by XP to put at the top of the start menu, eg. "Test User". Also note that no password is defined for the unix user account, that's OK as the account is set to "nologin". Lastly, note that the -m tells pw to create the user's home directory - if you're not creating home directories, remove it.
smbpasswd -a testuser
The users must exist on the system already (eg. a unix user account must exist for each Samba user). The SMB password can be different to the unix user account password (if defined).
net groupmap add ntgroup="Domain Admins" unixgroup=wheel rid=512 type=domain net groupmap add ntgroup="Domain Users" unixgroup=staff rid=513 type=domain net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=domain
mv /data/smbspace/logon.bat /usr/local/lib/samba/netlogon chgrp staff /usr/local/lib/samba/netlogon/logon.bat chmod 640 /usr/local/lib/samba/netlogon/logon.bat
The login script must be group-owned by the samba user group. Docs: manpage