For the remainder of this chapter the focus is on the configuration of domain control. The examples that follow are for two implementation strategies. Remember, our objective is to create a simple but working solution. The remainder of this book should help to highlight opportunity for greater functionality and the complexity that goes with it.
A domain controller configuration can be achieved with a simple configuration using the new tdbsam password backend. This type of configuration is good for small offices, but has limited scalability (cannot be replicated), and performance can be expected to fall as the size and complexity of the domain increases.
The use of tdbsam is best limited to sites that do not need more than a Primary Domain Controller (PDC). As the size of a domain grows the need for additional domain controllers becomes apparent. Do not attempt to under-resource a Microsoft Windows network environment; domain controllers provide essential authentication services. The following are symptoms of an under-resourced domain control environment:
Domain logons intermittently fail.
File access on a domain member server intermittently fails, giving a permission denied error message.
A more scalable domain control authentication backend option might use Microsoft Active Directory or an LDAP-based backend. Samba-3 provides for both options as a domain member server. As a PDC, Samba-3 is not able to provide an exact alternative to the functionality that is available with Active Directory. Samba-3 can provide a scalable LDAP-based PDC/BDC solution.
The tdbsam authentication backend provides no facility to replicate the contents of the database, except by external means (i.e., there is no self-contained protocol in Samba-3 for Security Account Manager database [SAM] replication).
If you need more than one domain controller, do not use a tdbsam authentication backend.
The engineering office network server we present here is designed to demonstrate use of the new tdbsam password backend. The tdbsam facility is new to Samba-3. It is designed to provide many user and machine account controls that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.
Example 2.7. Engineering Office smb.conf (globals)
Example 2.8. Engineering Office smb.conf (shares and services)
Create UNIX group accounts as needed using a suitable operating system tool:
Create user accounts on the system using the appropriate tool provided with the operating system. Make sure all user home directories are created also. Add users to groups as required for access control on files, directories, printers, and as required for use in the Samba environment.
#### Keep this as a shell script for future re-use
# First assign well known groups
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
# Now for our added Domain Groups
net groupmap add ntgroup="Designers" unixgroup=designers type=d
net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
scriptsdirectory for use in the
mkdir -p /var/lib/samba/netlogon/scripts
Place the logon scripts that will be used (batch or cmd scripts) in this directory.
The above configuration provides a functional PDC system to which must be added file shares and printers as required.