Samba as a Primary Domain Controller Debian/Ubuntu
Samba is a free software re-implementation of the SMB/CIFS networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.
Samba runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including Apple's OS X Server, and OS X client (version 10.2 and greater). Samba is standard on nearly all distributions of Linux and is commonly included as a basic system service on other Unix-based operating systems as well. Samba is released under the terms of the GNU General Public License. The name Samba comes from SMB (Server Message Block), the name of the standard protocol used by the Microsoft Windows network file system.
There are four main steps for setting up Samba as a PDC:
Linux domain controller
- Install Samba
- Configure /etc/samba/smb.conf
- Add domain users
- Register all Windows computers with Samba PDC.
The following command on the terminal window to install Samba.
[root@hackthesec /]# apt-get install samba [root@hackthesec /]# apt-get install samba-common [root@hackthesec /]# apt-get install samba-common-bin
The main configuration of Samba server is found in /etc/samba/smb.conf. For a PDC server, there are three part of the file which you need to configure: global, netlogon, and homes.
Before you start modifying the configuration file, I suggest you back up the existing Samba configuration file.
[root@hackthesec /]# cp /etc/samba/smb.conf /etc/samba/smb.conf.old
[global] workgroup = sambadomain netbios name = sambapdc server string = Samba PDC domain master = yes preferred master = yes domain logons = yes add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u security = user encrypt passwords = yes wins support = yes name resolve order = wins lmhosts hosts bcast logon path = \\%N\%U\profile logon drive = H: logon home = \\%N\%U
Please change the workgroup name (which is the name of the PDC) to your own workgroup name. If you have another Wins server on your network, please remove "wins support = yes", because having more than one causes a problem. "wins support = yes" means Samba acting as a Netbios server.
Creating LMHOSTS file
Please don't forget to register your domain IP address to the LMHOSTS file. The LMHOSTS file is a mapper between the IP address of the domain controller and Netbios name. When you add a Windows computer to the SAMBADOMAIN, Windows tries to find the PDC's IP address. If Windows fails to find the PDC's IP address, then you won't be able to register a computer with the PDC.
The LMHOSTS file should be created and placed in /etc/samba/lmhosts. The content of LMHOSTS file is similar to /etc/resolv.conf file, except that you need to register the Netbios name instead of the host name. For example, if your PDC has an IP address 192.168.2.252 with sambadomain as workgroup name, and sambapdc as the Netbios name, the content of the lmhosts file should look like the following:
192.168.2.252 sambadomain 192.168.2.252 sambapdc
After creating /etc/samba/lmhosts, re-run the nmbd daemon as follows:
[root@hackthesec /]# nmbd -H /etc/samba/lmhosts -D
Configuring [netlogon] parameters
[netlogon] path = /var/lib/samba/netlogon browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %S
/var/lib/samba/netlogon is a startup directory for PDC logon. When users login to the Samba PDC, a script callednetlogon.bat in the directory will be executed.
[root@hackthesec /]# mkdir -m 0755 /var/lib/samba/netlogon
For example, if you want to automatically mount a network drive from the PDC, Create the following netlogon.batscript in /var/lib/samba/netlogon
# Samba Logon Scriptnet use x: \\sambapdc\share
Configuring [homes] parameters
This is a configuration file for PDC user's home directory.
[homes] valid users = %S guest ok = yes read only = yes
Testing the configuration file
After saving all configuration files, test your configuration with the following command:
[root@hackthesec /]# testparm
Sample : -
Load smb config files from /etc/samba/smb.conf Processing section "[global]" Global parameter wins support found in service section! Processing section "[netlogon]" Global parameter wins support found in service section! Processing section "[homes]" Global parameter wins support found in service section!
Adding Domain Users
Adding admin user and group for the PDC
In Linux, admin user is the root user. So you need to run the following command to add the root user as the Samba admin:
[root@hackthesec /]# smbpasswd root
Create a machines group
The next step is to create a group called "machines"
[root@hackthesec /]# groupadd -g machines
Samba will automatically add users to this group, as long as you configure "add machine script" correctly in [global] section in /etc/samba/smb.conf.
Create a Linux Account for PDC login
You need to create a user on PDC for domain login. In this example, I will create an account that disables Linux login. So every access to the PDC must be done via Samba.
For example, creating user "hackthesec":
[root@hackthesec /]# smbpasswd -a hackthesec
Enter the same password twice.
You need to activate the user with the following command:
[root@hackthesec /]# smbpasswd -e hackthesec
Grant user "hackthesec" to login to the PDC:
[root@hackthesec /]# net rpc rights grant "SAMBADOMAIN\hackthesec" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
[root@hackthesec /]# net groupmap add ntgroup="Administrator" unixgroup=root rid=512 type=d