[Samba] Samba PDC

Mark Warner hammerhed at rapidreporting.com
Fri Jul 18 17:43:28 GMT 2003 

Greetings,
    This is my first post to this mailing list. I was recently put in charge
of replacing the unstable, failing Windows 2000 Domain Controller on my
company's network, since I'm the only "certified" (laugh here) one here. So,
dreading the prospect of configuring a new Windows 2000 Active Directory
server, I began to look at alternatives. Natually, Samba was presented to me
as a viable alternative. Our company being run almost entirely on Open
Source software, I thought this would likely work out quite nicely.
    Our network had 2 Windows 2000 Domain Controllers. One of them was
almost exclusively a Domain Controller (read: no other function), so I
thought that this would be the most ideal candidate for testing. That, and
the fact that it was failing to the point of needing a reboot about every 3
hours. The other DC also functioned as a MS SQL 7 server for our only
non-open source application, GoldMine; a sales and marketing application. So
I demoted the ailing DC, removed it from the Directory, and powered it off.
I let it sit for a few days, watching the load on the 2nd DC, making sure it
could handle the added load while I was scrubbing the other server. Turns
out that the "added load" of being the only DC consumed about 2% more
resources. So I was good to go.
    After installing and configuring a basic Debian Woody system, I set out
to learn just how Samba worked as a PDC. I found tons of documentation,
which helped, but I never found a single sample config script that even
began to work for me. I spent at least 2 weeks researching the project. The
result was that I was successful in producing a stable, functional domain
controller. That project ended on June 4th, and I migrated the rest of the
network over the following evening. We have a mix of Windows 98 SE, Windows
2000, and Windows XP computers, most of which went smoothly. The Windows XP
machines had to have some registry modifications made, which I will make a
note of below.
    About 2 weeks after the project was completed, our Linux administrator
advised me that I should post our config file onto this mailing list, in
case anyone else was in need of a known working smb.conf for a domain
controller. So, without further ado, here it is:

[global]
     workgroup = DOMAIN
     netbios name = SERVER_NAME
     security = user
     encrypt passwords = Yes
     password server = PASSWORD_SERVER
     add user script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
     logon script = login.bat
     logon home = \\SERVER_NAME\%U
     logon drive = U:
     lm announce = yes
     lm interval = 120
     remote announce = 192.168.0.0/24
     domain logons = Yes
     os level = 99
     domain master = yes
     enhanced browsing = true
     local master = yes
     preferred master = true
     wins support = yes
     name resolve order = wins lmhosts hosts bcast
     log file = /var/log/samba/log.%m
     domain admin group = root administrator
     invalid users = root

[homes]
     comment = Home Directories
     browseable = yes
     read only = no
     create mask = 0755\

[netlogon]
     comment = Network Logon Service
     path = /usr/local/samba/netlogon
     guest ok = yes
     writable = no
     share modes = no

That's it. Short and sweet.

Here are the aforementioned Windows XP registry modifications:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\req
uiresignorseal = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\sig
nsecurechannel = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\sea
lsecurechannel = 0

That's all of 'em.

Thanks for your time, and good luck to those who actually needed this info.

-Mark Warner

More information about the samba mailing list