[Samba] Samba NT Domain User/Group Confusion

Robert Steinmetz rob at steinmetznet.com
Sun Mar 25 21:29:15 GMT 2007

I'm confused about how this works in Samba. Its been a while since I set 
up a server and I've gotten myself confused.

The new server are  Ubuntu AMD64 Linux with Samba 3.0.22 One of these is 
the PDC. The legacy Servers are Solaris 8 running Samba 3.0.24. We are 
using winbindd and local tdb files on the PDC for authentication. We 
plan to migrate to LDAP latter. I have used SWAT to configure each server.

On the PDC I set up Linux logins for each user, I added them to Samba 
via smbpasswd. I created a Samba Admin Group "domain". In Linux this all 
looks right to me.

All users can log into the domain and access all of the shares on the 

None of the users have the ability to change anything via usrmgr.exe or 

Usrmgr.exe reports "Could not find Domain controller for this Domain". 
The "Select Domain" popup lists two domains PDC and DOMAIN.

Srvmgr.exe reports"Could not find Primary DC for PDC you may administer 
this domain but certain domain-wide operation will be disabled."

All users show their profile directory as "Read Only" in the Windows  
and it can't be changed.

       workgroup = DOMAIN
       server string = %h server (Samba, Ubuntu)
       obey pam restrictions = Yes
        passdb backend = tdbsam
       passwd program = /usr/bin/passwd %u
       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
       syslog = 0
       log file = /var/log/samba/log.%m
       max log size = 1000
       time server = Yes
       hostname lookups = Yes
       logon path = \\PDC\%U\profile
       logon drive = U:
       logon home = \\PDC\%U
       domain logons = Yes
       os level = 33
       domain master = Yes
       wins proxy = Yes
       wins support = Yes
       ldap ssl = no
       panic action = /usr/share/samba/panic-action %d
       idmap uid = 10000-20000
       idmap gid = 10000-20000
       winbind nested groups = Yes
       admin users = root, administrator
       hosts allow =
       profile acls = Yes

       comment = All Printers
       path = /tmp
       create mask = 0700
       printable = Yes
       browseable = No

       comment = Printer Drivers
       path = /var/lib/samba/printers

       comment = Network Logon Service
       path = /var/lib/samba/netlogon
       guest ok = Yes
       browseable = No

       comment = Windows Roaming Profiles
       path = /home/%U/profile
       read only = No
       create mask = 0664
       force create mode = 0775
       directory mask = 0775
       force directory mode = 0775
       store dos attributes = Yes

*Robert Steinmetz, AIA*
*Steinmetz & Associates*

More information about the samba mailing list