[Samba] Samba PDC (3.0.24)
Richard Wood
richard at ukrm.co.uk
Sun Mar 4 18:30:30 GMT 2007
Hi All,
I've been reading *lots* of pages and guides everywhere about setting up
samba as a PDC, mainly the 8 part guide by John Terpstra.
One common thing I found in all the guides I read were unstated
dependancies on the Samba version.
Tried it using 3.0.9 and it didn't have any rights (I found something
somewhere saying this eventually).
Then tried it using Debians default of 3.0.24, and no default groups, so
Johns guide wasn't 100%.
Also the user/group scripts in smb.conf seem to be distro specific.
This last one caused me hours of headaches, the errors returned gave
absolutely no indication of what the problem was.
Eventually I decided to have a look at the log files which gave me a
Eureka moment and I found out that Debians usermod has different parameters.
(it also doesn't appear to be able to remove a group assignment from a
user?)
Anyway, after umpteen tries I compiled this concise cheat sheet (more
for me than anyone else), can people have a look at it and point out any
glaring errors please?
start afresh...:-
---------------
cleanup
-------
stop samba
/etc/init.d/samba stop
delete all *.tdb files
rm /var/lib/samba/*.tdb
delete all samba log files
rm /var/lib/samba/*.tdb
remove windows groups using groupdel
remove PCD machine user using userdel
1. edit /etc/samba/smbusers
1a. add root = Administrator
2. start samba
3. use pdbedit -a to add user 'root' and assign a password to it
from samba 3.0.23 there are NO default Windows Domain Groups, we must
create them now.
4. Add default Windows Domain Groups as unix groups:-
(group IDs nicked from online examples)
groupadd -g 512 "Domain Admins"
groupadd -g 513 "Domain Users"
groupadd -g 514 "Domain Guests"
groupadd -g 515 "Domain Computers"
groupadd -g 544 "Administrators"
groupadd -g 550 "Print Operators"
groupadd -g 551 "Backup Operators"
groupadd -g 552 "Replicators"
4a. Add groups into Samba mapping them to unix groups
net groupmap add rid=512 unixgroup="Domain Admins"
net groupmap add rid=513 unixgroup="Domain Users"
net groupmap add rid=514 unixgroup="Domain Guests"
net groupmap add rid=515 unixgroup="Domain Computers"
4b. Add local Windows groups (dunno if this is right, they get added as
domain groups?)
net groupmap add rid=544 unixgroup="Administrators"
net groupmap add rid=550 unixgroup="Print Operators"
net groupmap add rid=551 unixgroup="Backup Operators"
net groupmap add rid=552 unixgroup="Replicators"
5. Add user root to the Domain Admin group
net rpc group addmem "Domain Admins" root
6. Give the "Domain Admins" group suitable administery rights...
net rpc rights grant "Domain Admins" \
SeMachineAccountPrivilege \
SeTakeOwnershipPrivilege \
SeBackupPrivilege \
SeRestorePrivilege \
SeRemoteShutdownPrivilege \
SePrintOperatorPrivilege \
SeAddUsersPrivilege \
SeDiskOperatorPrivilege
(do similar for the other groups)
6. Add an account for the PDC machine
net rpc join
For the initial setup, thats it! The PCD is live and the domain
administrator user has been created.
To:-
Add Users
---------
net rpc user add <username>
Assign a password to a user
---------------------------
net rpc user password <username>
Delete Users
------------
net rpc user del <username>
Assign a user to a group
------------------------
net rpc group addmem <groupname> <username>
Remove a user from a group
--------------------------
net rpc group delmem <groupname> <username>
(NOTE : doesn't work, the usermod command cannot delete a group from a user)
Assign user rights
------------------
(used to override the group rights assigned earlier)
net rpc rights grant <username> <rightname>
Remove user rights
------------------
(used to override the group rights assigned earlier)
net rpc rights revoke <username> <rightname>
View rights assigned
--------------------
net rpc rights list accounts
Cheers,
Richard
More information about the samba
mailing list