Saturday, February 28, 2009

Samba 3 as PDC

  1. Set up the Samba 3 server to authenticate against OpenLDAP as shown in a previous post
  2. Set the following in smb.conf (roaming profile disabled)
    domain logons = yes
    domain master = yes
    logon home =
    logon path =
  3. Create the following well-known groups under Ou=Group. This can be done in phpLDAPadmin by creating a child entry using the template Samba3 Group Mapping. It may also be done with the command net groupmap add. Their values for the attritubes cn, displayName and sambaSID are shown below (first three are essential domain groups):
    admin,Domain Admins, (sambaSID of sambaDomainName)-512
    guest,Domain Users, (sambaSID of sambaDomainName)-513
    host,Domain Guests, (sambaSID of sambaDomainName)-514
    user,Domain Computers, (sambaSID of sambaDomainName)-515
    The result can be checked by net groupmap list
  4. Add at least a user from Ou=people to the memberUid attribute of the group cn=admin,ou=Group. Its credential will be needed later when joining workstations to the domain.
  5. Create machine trust accounts under Ou=Hosts for the workstations before joining them to the domain. This can be done in phpLDAPadmin by creating a child entry using the template Samba 3 machine. Its Machine Name attribute must be in the format of machine_name$ and I choose to set its gid attritube to that of host group. The attribute sambaNTPassword will later automatically show up upon successful joining of the workstation to the domain.
  6. When prompted for username and password to join the domain, enter the uid and sambaNTPassword of the user who is a member of Domain Admins.
  7. Add the group Domain Users to the local Administrators group on a domain workstation (XP pro) to enable remote desktop access on it for the domain users. The group Domain Admins (RID 512) is already added upon joining of the domain.

Great Ref: The Official Samba 3.2.x HOWTO and Reference Guide
1. Chapter 27. Desktop Profile Management: contains instructions on how to
  • Disable roaming profiles
  • Convert Local Profile to Domain Profile
2. Chapter 12. Group Mapping: MS Windows and UNIX: contains important information about essential domain groups and their default RID.

No comments: