0

Samba as a Primary Domain Controller on Centos/RHEL

I wanted to setup a PDC via samba for my home network since I am wanting a common login onto all of the machines at home and also since I already share files via samba why not just add this. This is a very novice basic setup of PDC.

Several items are needed espcially host entries/dns records to make this work.

lets assume several items

Domain : testdomain.local
PDC Hostname : pdc
PDC IP : 192.168.1.1
User : thisisyou
Client Hostname : testdesktop

1. Install Samba.

yum groupinstall "CIFS file server" or yum install samba

2. Network testing

from your windows machine make sure that you are able to ping and resolve testdomain.local and pdc and pdc.testdomain.local

if it does not ping please edit your DNS or hosts file to make the proper entries

from the PDC server ping and dns lookup your PDC Hostname and make sure you are getting good results back first

3. Samba Configuration

usually located in /etc/samba/smb.conf

[global]
domain logons = yes
domain master = Yes
netbios name = PDC
workgroup = testdomain.local
os level = 255
preferred master = yes
security = user
wins support = yes

[homes]
valid users = %S
read only = no
browseable = no
create mode = 0600
directory mode = 0700

The above is the bare minimal that you will need to have this working. There are much more options to add if you want to get fancier

starting service

chkconfig smb on
chkconfig nmb on
service smb start
service nmb start

Now lets create groups and users

groupadd smbuser
groupadd workstation
useradd -d /home/thisisyou -g smbuser -s /bin/false -m thisisyou
useradd -d /dev/null -g workstation -s /bin/false testdesktop$

Now we need to add the users to the samba database


smbpasswd -a thisisyou
smbpasswd -a root
smbpasswd -a -m testdesktop$

it is very important to add the client desktop to the users and samba database or else it will not join the domain. The “$” is required at the end of the machine name. PLEASE DO NOT FORGET.

you can check the database by issuing pdbedit -Lv

you can also look up various info such as

pdbedit -v thisisyou
pdbedit -r -f "This is You" thisisyou

The basic setup is complete however we will need to add the domain user to the Administrator group if needed

Samba no longer allows you to change the Primary Group SID directly, it is now set dynamically from group mappings. By default all users receive an RID of the Domain Users Group which is 513, for the Domain Admins Group the RID needs to be 512. This is the final three digits in the Primary Group SID as in:
Primary Group SID: S-#-#-##-#########-#########-##########-513

Lets create a new group called smbadmin and add any users in that group to be administrators


groupadd smbadmin
usermod -g smbadmin jlim
groups jlim
net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=smbadmin
pdbedit -v jlim

look for the line Primary Group SID: S-#-#-##-#########-#########-##########-512

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.