[Samba] Need advice on Linux/Samba as PDC
bgmilne at cae.co.za
Thu Feb 14 02:04:08 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
| Message: 7
| From: "Steve Snyder" <steves at formation.com>
| To: "Samba Mailing List" <samba at lists.samba.org>
| Date: Wed, 13 Feb 2002 10:16:19 -0600
| Subject: [Samba] Need advice on Linux/Samba as PDC
| I've just upgraded my Linux (RedHat v7.2 + v2.4.17 kernel) box to Samba
| v2.2.3a. Now I'm ready to set up winbindd so that this box may act as a
This is incorrect. Winbind is only for use in getting password information to
the linux/unix system FROM A WINDOWS DOMAIN CONTROLLER.
You would use it if you want to join a samba box to a windows domain without
having to create local (or LDAP/NIS) accounts for the samba box.
| First, a little background. I have previously been using Samba 2.2.2 as a
| master workgroup server for Linux and Win98 clients. Now I want to add
| support for use as a PDC with Win2K clients.
| I've set up my /etc/nsswitch.conf per the documentation:
| passwd: files winbind nisplus
| shadow: files winbind nisplus
| group: files winbind nisplus
Please remove all configuration for winbind from your domain controller ....
| I'm a little confused about which file in /etc/pam.d to modify. Is it the
| samba file or the system-auth file? I suspect it is the system-auth, but
| I'm not clear on how to integrate the documented changes into my existing
| RedHat config. This is what the file looks like now:
| # cat /etc/pam.d/system-auth
| # This file is auto-generated.
| # User changes will be destroyed the next time authconfig is run.
| auth required /lib/security/pam_env.so
| auth sufficient /lib/security/pam_unix.so likeauth nullok
| auth required /lib/security/pam_deny.so
| account required /lib/security/pam_unix.so
| password required /lib/security/pam_cracklib.so retry=3 type=
| password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
| password required /lib/security/pam_deny.so
| session required /lib/security/pam_limits.so
| session required /lib/security/pam_unix.so
~ ... including this file.
Samba has been able to do limited domain controlling since 2.0.x (we started
ours on 2.0.6)., but it has improved in 2.2.x, and will be copmlete in 3.0.
That said, for a smallish network (where you don't need domain groups on windows
machines), samba rocks as a domain controller.
Please take a look at the following documentation:
- -There is a chapter on this in the samba-howto-collection PDF distributed with
Basically, you need to:
enable the following entries in smb.conf:
encrypt passwords = yes
# add user script for joining machines to the domain without having to manually
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u
domain admin group = user1 user2 @group1 @group2
domain logons = yes
logon home = <some UNC path>
logon path = <some UNC path>
logon script = %U.bat
If you don't have a windows server running wins, you might as well run wins on
wins support = yes
Then you will want to ensure that the profiles and netlogon shares are defined also.
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/gpg.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the samba