Domain Controller

For the remainder of this chapter the focus is on the configuration of domain control. The examples that follow are for two implementation strategies. Remember, our objective is to create a simple but working solution. The remainder of this book should help to highlight opportunity for greater functionality and the complexity that goes with it.

A domain controller configuration can be achieved with a simple configuration using the new tdbsam password backend. This type of configuration is good for small offices, but has limited scalability (cannot be replicated), and performance can be expected to fall as the size and complexity of the domain increases.

The use of tdbsam is best limited to sites that do not need more than a Primary Domain Controller (PDC). As the size of a domain grows the need for additional domain controllers becomes apparent. Do not attempt to under-resource a Microsoft Windows network environment; domain controllers provide essential authentication services. The following are symptoms of an under-resourced domain control environment:

  • Domain logons intermittently fail.

  • File access on a domain member server intermittently fails, giving a permission denied error message.

A more scalable domain control authentication backend option might use Microsoft Active Directory or an LDAP-based backend. Samba-3 provides for both options as a domain member server. As a PDC, Samba-3 is not able to provide an exact alternative to the functionality that is available with Active Directory. Samba-3 can provide a scalable LDAP-based PDC/BDC solution.

The tdbsam authentication backend provides no facility to replicate the contents of the database, except by external means (i.e., there is no self-contained protocol in Samba-3 for Security Account Manager database [SAM] replication).


If you need more than one domain controller, do not use a tdbsam authentication backend.

Example: Engineering Office

The engineering office network server we present here is designed to demonstrate use of the new tdbsam password backend. The tdbsam facility is new to Samba-3. It is designed to provide many user and machine account controls that are possible with Microsoft Windows NT4. It is safe to use this in smaller networks.

Example 2.7. Engineering Office smb.conf (globals)

workgroup = MIDEARTH
netbios name = FRODO
passdb backend = tdbsam
printcap name = cups
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u
# Note: The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
logon script = scripts\logon.bat
# This sets the default profile path. Set per user paths with pdbedit
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
printing = cups

Example 2.8. Engineering Office smb.conf (shares and services)

comment = Home Directories
valid users = %S
read only = No
browseable = No
# Printing auto-share (makes printers available thru CUPS)

comment = All Printers
path = /var/spool/samba
printer admin = root, maryo
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No

comment = Printer Drivers Share
path = /var/lib/samba/drivers
write list = maryo, root
printer admin = maryo, root
# Needed to support domain logons

comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root, maryo
guest ok = Yes
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/maryo

comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
# Other resource (share/printer) definitions would follow below.

  1. A working PDC configuration using the tdbsam password backend can be found in Engineering Office smb.conf (globals) together with Engineering Office smb.conf (shares and services):

  2. Create UNIX group accounts as needed using a suitable operating system tool:

    root# groupadd ntadmins
    root# groupadd designers
    root# groupadd engineers
    root# groupadd qateam
  3. Create user accounts on the system using the appropriate tool provided with the operating system. Make sure all user home directories are created also. Add users to groups as required for access control on files, directories, printers, and as required for use in the Samba environment.

  4. Assign each of the UNIX groups to NT groups by executing this shell script (You could name the script

    #### Keep this as a shell script for future re-use

    # First assign well known groups
    net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d
    net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=
    net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d

    # Now for our added Domain Groups
    net groupmap add ntgroup="Designers" unixgroup=designers type=d
    net groupmap add ntgroup="Engineers" unixgroup=engineers type=d
    net groupmap add ntgroup="QA Team" unixgroup=qateam type=d
  5. Create the scripts directory for use in the [NETLOGON] share:

    root# mkdir -p /var/lib/samba/netlogon/scripts

    Place the logon scripts that will be used (batch or cmd scripts) in this directory.

The above configuration provides a functional PDC system to which must be added file shares and printers as required.

'리눅스 서버에 대해서 > 리눅스 팁들' 카테고리의 다른 글

쉘 프로그래밍 강좌  (0) 2013.01.10
GNU Make 강좌  (0) 2013.01.07
이클립스에서 C++ 환경 만들기  (0) 2012.12.10
Samba Domain Setting  (0) 2010.08.29
make 강좌  (0) 2010.07.04
vi(Visual) Editor 사용법  (0) 2008.06.15

+ Recent posts