[Samba] Samba PDC (3.0.24)

Richard Wood richard at ukrm.co.uk
Sun Mar 4 18:30:30 GMT 2007

Hi All,

I've been reading *lots* of pages and guides everywhere about setting up 
samba as a PDC, mainly the 8 part guide by John Terpstra.

One common thing I found in all the guides I read were unstated 
dependancies on the Samba version.

Tried it using 3.0.9 and it didn't have any rights (I found something 
somewhere saying this eventually).

Then tried it using Debians default of 3.0.24, and no default groups, so 
Johns guide wasn't 100%.

Also the user/group scripts in smb.conf seem to be distro specific.

This last one caused me hours of headaches, the errors returned gave 
absolutely no indication of what the problem was.

Eventually I decided to have a look at the log files which gave me a 
Eureka moment and I found out that Debians usermod has different parameters.

(it also doesn't appear to be able to remove a group assignment from a 

Anyway, after umpteen tries I compiled this concise cheat sheet (more 
for me than anyone else), can people have a look at it and point out any 
glaring errors please?

start afresh...:-

stop samba
   /etc/init.d/samba stop
delete all *.tdb files
   rm /var/lib/samba/*.tdb
delete all samba log files
   rm /var/lib/samba/*.tdb
remove windows groups using groupdel
remove PCD machine user using userdel

1. edit /etc/samba/smbusers
1a. add root = Administrator
2. start samba
3. use pdbedit -a to add user 'root' and assign a password to it

from samba 3.0.23 there are NO default Windows Domain Groups, we must 
create them now.

4. Add default Windows Domain Groups as unix groups:-
(group IDs nicked from online examples)

groupadd -g 512 "Domain Admins"
groupadd -g 513 "Domain Users"
groupadd -g 514 "Domain Guests"
groupadd -g 515 "Domain Computers"
groupadd -g 544 "Administrators"
groupadd -g 550 "Print Operators"
groupadd -g 551 "Backup Operators"
groupadd -g 552 "Replicators"

4a. Add groups into Samba mapping them to unix groups

net groupmap add rid=512 unixgroup="Domain Admins"
net groupmap add rid=513 unixgroup="Domain Users"
net groupmap add rid=514 unixgroup="Domain Guests"
net groupmap add rid=515 unixgroup="Domain Computers"

4b. Add local Windows groups (dunno if this is right, they get added as 
domain groups?)

net groupmap add rid=544 unixgroup="Administrators"
net groupmap add rid=550 unixgroup="Print Operators"
net groupmap add rid=551 unixgroup="Backup Operators"
net groupmap add rid=552 unixgroup="Replicators"

5. Add user root to the Domain Admin group

net rpc group addmem "Domain Admins" root

6. Give the "Domain Admins" group suitable administery rights...

net rpc rights grant "Domain Admins" \
SeMachineAccountPrivilege \
SeTakeOwnershipPrivilege \
SeBackupPrivilege \
SeRestorePrivilege \
SeRemoteShutdownPrivilege \
SePrintOperatorPrivilege \
SeAddUsersPrivilege \

(do similar for the other groups)

6. Add an account for the PDC machine

net rpc join

For the initial setup, thats it! The PCD is live and the domain 
administrator user has been created.


Add Users
net rpc user add <username>

Assign a password to a user
net rpc user password <username>

Delete Users
net rpc user del <username>

Assign a user to a group
net rpc group addmem <groupname> <username>

Remove a user from a group
net rpc group delmem <groupname> <username>

(NOTE : doesn't work, the usermod command cannot delete a group from a user)

Assign user rights
(used to override the group rights assigned earlier)
net rpc rights grant <username> <rightname>

Remove user rights
(used to override the group rights assigned earlier)
net rpc rights revoke <username> <rightname>

View rights assigned
net rpc rights list accounts



More information about the samba mailing list