[Samba] Need advice on Linux/Samba as PDC

Buchan Milne bgmilne at cae.co.za
Thu Feb 14 02:04:08 GMT 2002

Hash: SHA1

| Message: 7
| From: "Steve Snyder" <steves at formation.com>
| To: "Samba Mailing List" <samba at lists.samba.org>
| Date: Wed, 13 Feb 2002 10:16:19 -0600
| Subject: [Samba] Need advice on Linux/Samba as PDC
| I've just upgraded my Linux (RedHat v7.2 + v2.4.17 kernel) box to Samba
| v2.2.3a.  Now I'm ready to set up winbindd so that this box may act as a
| PDC.

This is incorrect. Winbind is only for use in getting password information to

You would use it if you want to join a samba box to a windows domain without
having to create local (or LDAP/NIS) accounts for the samba box.

| First, a little background.  I have previously been using Samba 2.2.2 as a
| master workgroup server for Linux and Win98 clients.  Now I want to add
| support for use as a PDC with Win2K clients.
| I've set up my /etc/nsswitch.conf per the documentation:
| 	passwd:     files winbind nisplus
| 	shadow:     files winbind nisplus
| 	group:      files winbind nisplus

Please remove all configuration for winbind from your domain controller ....

| I'm a little confused about which file in /etc/pam.d to modify.  Is it the
| samba file or the system-auth file?  I suspect it is the system-auth, but
| I'm not clear on how to integrate the documented changes into my existing
| RedHat config.  This is what the file looks like now:
| # cat /etc/pam.d/system-auth
| #%PAM-1.0
| # This file is auto-generated.
| # User changes will be destroyed the next time authconfig is run.
| auth     required   /lib/security/pam_env.so
| auth     sufficient /lib/security/pam_unix.so likeauth nullok
| auth     required   /lib/security/pam_deny.so
| account  required   /lib/security/pam_unix.so
| password required   /lib/security/pam_cracklib.so retry=3 type=
| password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
| password required   /lib/security/pam_deny.so
| session  required   /lib/security/pam_limits.so
| session  required   /lib/security/pam_unix.so

~ ... including this file.

Samba has been able to do limited domain controlling since 2.0.x (we started
ours on 2.0.6)., but it has improved in 2.2.x, and will be copmlete in 3.0.

That said, for a smallish network (where you don't need domain groups on windows
machines), samba rocks as a domain controller.

Please take a look at the following documentation:
- -There is a chapter on this in the samba-howto-collection PDF distributed with 
- -http://mandrakeuser.org/connect/csamba6.html

Basically, you need to:
enable the following entries in smb.conf:
encrypt passwords = yes
# add user script for joining machines to the domain without having to manually
make accounts
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u
domain admin group = user1 user2 @group1 @group2
domain logons = yes
logon home = <some UNC path>

logon path = <some UNC path>
logon script = %U.bat

If you don't have a windows server running wins, you might as well run wins on
the PDC:
wins support = yes

Then you will want to ensure that the profiles and netlogon shares are defined also.

Good luck.

- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                       http://ranger.dnsalias.com/gpg.key
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the samba mailing list