Debian: Samba PDC Server

From ReceptiveIT
Jump to: navigation, search

This howto is currently a work-in-progress. Watch for VERY sharp edges.


When people talk about a Primary Domain Controller, or PDC, they are really talking about a number of different protocols working together to allow Windows network clients to access authentication information, file shares and network printers. Network protocols required to perform the role of PDC are

  • DHCP
  • DNS
  • LDAP



The Dynamic Host Configuration Protocol (DHCP) is a protocol that automates the assignment of IP addresses, subnet masks, default routers, and other IP parameters. The assignment usually occurs when the DHCP configured machine boots up, or regains connectivity to the network. The DHCP client sends out a query requesting a response from a DHCP server on the locally attached network. The DHCP server then replies to the client PC with its assigned IP address, subnet mask, DNS server and default gateway information. The assignment of the IP address usually expires after a predetermined period of time, at which point the DHCP client and server renegotiate a new IP address from the server's predefined pool of addresses. DHCP is a broadcast-based protocol. As with other types of broadcast traffic, it won't cross a router unless specifically configured to do so. If you need such capability, you must configure your routers to pass DHCP traffic that occurs across UDP ports 67 and 68. DHCP operations fall into four basic phases. These phases are IP lease request, IP lease offer, IP lease selection, and IP lease acknowledgement.

Install DHCP Server

To install a DHCP server in Debian is simple, using the trusty apt-get utility.

apollo:~# apt-get install dhcp3-server

Configure DHCP Server

Configuring the newly installed DHCP server, like most things in Debian, is done by editing the appropriate configuration file, which is done using your favourite text editor. I will be using vi, but feel free to use pico, nano, or any other editor you choose.

apollo:~# pico /etc/dhcp3/dhcpd.conf

Sample dhcpd.conf

# dhcpd.conf
# DHCP Server for our organisation

# Will this DHCP server attempt to update DNS when a lease is confirmed?
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "domain.local";
option domain-name-servers;
option routers;
option netbios-name-servers;
option netbios-dd-server;
option netbios-node-type 8;
option broadcast-address;
option subnet-mask;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

subnet netmask {
 option subnet-mask;

# Dynamically Assigned Static Addresses

host reception {
 hardware ethernet 00:0b:6a:0f:33:97;

Start DHCP Server

Starting a Daemon (or service for you Windows loving hippies), is done by invoking a script, which lives under /etc/init.d, with the start keyword.

apollo:~# /etc/init.d/dhcp3-server start
Starting DHCP server: dhcpd3.

If you don't see any error messages, it looks like your DHCP server is running, we can check this by checking if the DHCP process is running. If the dhcp process is listed, the service is running!

apollo:~# ps auxww | grep dhcp
root      4412  0.0  0.1   2752   856 ?        Ss   16:41   0:00 /usr/sbin/dhcpd3 -q

The next step is for another PC to request an IP address from your new DHCP server. If you find that your PC is not getting the correct settings from your DHCP server, you should check your dhcpd.conf file for errors.



Install DNS Server

We need to call upon apt-get once again to install our DNS server.

apollo:~# apt-get install bind9 bind9-doc dnsutils

Configure DNS Server

Once installed, it will start automatically without configuration, although we need to set up a DNS zone so our network clients can resolve our Samba PDC hostname to an IP address, at the very least. BIND has a split configuration file, so we need to modify more than one.

If your ISP has provided you with some DNS servers, you should consider including them as forwarders in your named.conf.options. This will decrease the load on your DNS server, as it will not need to fully recursively search for all name resolution requests itself, it can simply send and external requests to your forwarders. /etc/bind/named.conf.options

forwarders {;


zone "domain.local" {
       type master;
       file "/var/cache/bind/db.domain.local";


; db.domain.local
$TTL    604800
@       IN      SOA     domain.local. root.domain.local. (
                    2006110701         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
; NS Records
@       IN      NS      brutus.domain.local.

; A Records
@               IN      A
fw              IN      A
brutus          IN      A

Start DNS Server

Since the DNS daemon is already running, we have to restart it. This is done by invoking a script, which lives under /etc/init.d, with the restart keyword.

apollo:~# /etc/init.d/bind9 restart
Stopping domain name service...: bind.
Starting domain name service...: bind.

If you don't see any error messages, it looks like your DNS server is running. The easiest way to find out if our DNS server is working, is to try and resolve a hostname to and IP address for the zone file we just created.

apollo:~# dig brutus.domain.local @

; <<>> DiG 9.3.2-P1 <<>> brutus.domain.local @
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 353
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;brutus.domain.local.       IN      A

brutus.domain.local. 604800 IN      A

domain.local.       604800  IN      NS      brutus.domain.local.

;; Query time: 1 msec
;; WHEN: Tue Nov  7 17:15:59 2006
;; MSG SIZE  rcvd: 71

Congratulations, you now have a working DNS server for your domain.local domain. You can add more static hosts by simply adding more A Records and restarting BIND.



Install LDAP

apollo:~# apt-get install slapd db4.6-util



Install Samba

apollo:~# apt-get install samba samba-doc smbldap-tools

Configure Samba


Edit /etc/samba/smb.conf

# Global parameters
workgroup = BIGDOMAIN
server string = Samba file and print server

# Domain Master
os level = 65
domain logons = yes
preferred master = yes
local master = yes
domain master = yes

# Security
security = user
nt acl support = yes
encrypt passwords = yes
obey pam restrictions = no
enable privileges = yes
passdb backend = ldapsam:ldap://
ldap admin dn = cn=admin,dc=bigdomain,dc=local
ldap suffix = dc=bigdomain,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=IdMap
ldap ssl = no
ldap delete dn = yes

# Account Management
ldap passwd sync = yes
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
passwd chat debug = Yes
passwd program = /usr/sbin/smbldap-passwd %u
add user script = /usr/sbin/smbldap-useradd -a -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
rename user script = /usr/sbin/smbldap-usermod -r "%unew" "%uold"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

# Account Defaults
#logon script = login.bat
#logon path = \\\profiles\%u # The IP of the server
#logon drive = H:
#logon home = \\\%u # The IP of the server
logon path = 
logon home = 

# Name Resolution
wins support = yes
dns proxy = no
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

# Logging
log level = 0
log file = /var/log/samba/%m
max log size = 1000

# Printing
printcap name = cups
printing = cups

comment = Home Directories
valid users = %S
read only = No
create mask = 0644
directory mask = 0775
browseable = No

comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
read only = yes
write list = @"Domain Admins"
share modes = no

path = /home/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
force user = %U
valid users = %U "Domain Admins"

comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700

comment = Printer Drivers
path = /home/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
;   write list = root, @ntadmin

comment = Company
path = /data/company
browseable = yes
valid users = @"Domain Users",@"Domain Admins"
writeable = yes
directory mode = 775
create mode = 664 

Delegate Responsibility

For a user or group to join a computer to the domain, it must have certain privileges. enable privileges = yes is a good start, so you don't have to be root to perform this task. Next you must grant the "add machine" privilege.

root#  net -S server -U domadmin rpc rights grant 'DOMAIN\Domain Admins' SeMachineAccountPrivilege

LDAP Authentication

We need to add the Samba schema to the OpenLDAP schema

apollo:~# zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

Edit /etc/ldap/slapd.conf and add the following to the Schema section.

include         /etc/ldap/schema/samba.schema

Restart OpenLDAP

apollo:~# /etc/init.d/slapd restart

We need to tell Samba what the LDAP Admin password is.

apollo:~# smbpasswd -W
Setting stored password for "cn=admin,dc=bigdomain,dc=local" in secrets.tdb
New SMB password: secret password
Retype new SMB password: secret password

To check if it is all working, lets ask Samba to give us the local SID (Security Identifier) for our machine. If it succeeds, that means that Samba can talk to the LDAP server. We will need the SID for the next step.

apollo:~# net getlocalsid
SID for domain APOLLO is: S-1-5-21-2354762441-7657691332-485660043


We need to get a base copy of the configuration files into the config directory.

apollo:~# cd /etc/smbldap-tools
apollo:/etc/smbldap-tools# cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf .
apollo:/etc/smbldap-tools# zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > smbldap.conf

Edit smbldap_bind.conf to include the following.


We also need to protect that file, since it has the password for the LDAP admin user.

apollo:/etc/smbldap-tools# chmod 600 smbldap_bind.conf

Edit smbldap.conf to include the following.


Now we need to populate the LDAP directory with the base Samba details.

apollo:/etc/smbldap-tools# smbldap-populate
Populating LDAP directory for domain MATRIX (S-1-5-21-2354762441-7657691332-485660043)
(using builtin directory structure)

entry dc=bigdomain,dc=local already exist.
adding new entry: ou=Users,dc=bigdomain,dc=local
adding new entry: ou=Groups,dc=bigdomain,dc=local
adding new entry: ou=Computers,dc=bigdomain,dc=local
adding new entry: ou=Idmap,dc=bigdomain,dc=local
adding new entry: uid=root,ou=Users,dc=bigdomain,dc=local
adding new entry: uid=nobody,ou=Users,dc=bigdomain,dc=local
adding new entry: cn=Domain Admins,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Domain Users,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Domain Guests,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Domain Computers,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Administrators,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Account Operators,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Print Operators,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Backup Operators,ou=Groups,dc=bigdomain,dc=local
adding new entry: cn=Replicators,ou=Groups,dc=bigdomain,dc=local
entry sambaDomainName=BIGDOMAIN,dc=bigdomain,dc=local already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: secret password
Retype new password: secret password

Mental note: The smbldap-tools package in the Ubuntu repository is completely broken with the current version of Samba. Download the current ones from

Logon Script

Sample logon.bat

Folder Redirection

Sample folderRedirection.vbs

Disable Roaming Profiles

Roaming profiles get activated by a couple of settings in the configuration file. These settings can also get overrided by the same options set in LDAP. Edit your smb.conf file with the following options set

logon path =
logon home =