[Samba] Running Samba 3 as PDC

Irene Sakellarakis irenes at uiuc.edu
Fri Nov 19 17:57:34 GMT 2004

Thanks Christian, here's the config file.

Printing is not yet enabled, as it's not critical. Can't set it up as 
master browser yet because I can't play with that on the subnet I'm 
currently limited for testing and our security people freak out if a 
random machine starts vieing for attention in elections! BTW, I'm rather 
new at this so do forgive any obvious questions. I'm doing my best to 
get through the How To, but there's lots to learn.


# workgroup = NT-Domain-Name or Workgroup-Name
         workgroup = SAMBA

#netbios server name
         netbios name = SAMBASERV

# server string is the equivalent of the NT Description field
         server string = Samba Server

         add machine script = /usr/sbin/useradd -g machines -d /dev/null 
-s /bin/false -M %u
         add user script = /usr/sbin/useradd -m %u

# this tells Samba to use a separate log file for each machine
# that connects
         log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb).
         max log size = 50

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
         smb passwd file = /etc/samba/smbpasswd

#investigate this option for authentication backend - Irene
;  passdb backend = tdbsam

# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
;  unix password sync = Yes
;  passwd program = /usr/bin/passwd %u
;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* 
%n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
;  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /etc/samba/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
         domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, 
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that 
are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
         name resolve order = wins lmhosts bcast

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#       Note: Samba can be either a WINS Server, or a WINS Client, but 
NOT both
         wins server =

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
         username map = /etc/samba/smbusers
         dns proxy = no

#============================ Share Definitions 
         comment = Home Directories
         browseable = no
         writeable = yes

# Un-comment the following and create the netlogon directory for Domain 

# Un-comment the following and create the netlogon directory for Domain 
         comment = Network Logon Service
         path = /home/samba/netlogon
         guest ok = yes
         share modes = no

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
         comment = All Printers
         path = /var/spool/samba
         browseable = no
# Set public = yes to allow user 'guest account' to print
         printable = yes

Christian Merrill wrote:

> Irene Sakellarakis wrote:
>> I am investigating options for using Samba (Red Hat Fedora 
>> Core 1 basic installation, currently updating via yum) as a primary 
>> and only domain controller. We have a Windows user environment, and 
>> I'm trying to connect the user machines (XP fully patched as of this 
>> writing) to the samba domain but keep getting one of 2 errors: 1) 
>> "authentication failed", when I use the (smb) administrator account 
>> and password; 2) "user not known" when using the root account.
>> I've created the users (both unix and samba), mapped my groups, edited 
>> admin groups with the right entries). Frankly, I'm at a loss as to 
>> whether this is even feasible, realistically.
>> I've searched the various groups online but any reference I find to 
>> this type of setup is with pre-W2k clients and Samba 2.* versions. All 
>> the discussions I've found pertaining to 3.0 and W2k/XP are only 
>> documenting existing problems similar to mine with no responses to 
>> those threads.
>> Is it possible (at this point "advisable" has been thrown out the 
>> window by higher-ups) to get this functioning as a complete 
>> replacement to a Windows200* server environment? The official HowTo 
>> seems to hint at it, but I find little or no actual instruction on the 
>> matter.
>> Thanks much, in advance,
>> Irene
> It is doable -- could you post your /etc/samba/smb.conf?  As to whether 
> or not it is advisable as a replacement for a Win2k environment there 
> are a few things to take into consideration:
> 1. Samba3 cannot act as an Active Directory DC
> 2. If you want any failover you will need to have an LDAP backend
> 3. Fedora Core is not supported -- you might wish to consider moving to 
> a supported OS (RHEL, SusE, Solaris etc.)
> 4. Staff needs to have the appropriate *nix/Samba skills to administer 
> the environment
> Christian

More information about the samba mailing list