Product SiteDocumentation Site

20.6.3. Domain Controller

A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user/group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user/group database integrity is called the Security Account Manager (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment.
In a Samba environment, there can be only one PDC and zero or more BDCs.

Important

Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs can coexist.

20.6.3.1. Primary Domain Controller (PDC) using tdbsam

The simplest and most common implementation of a Samba PDC uses the tdbsam password database backend. Planned to replace the aging smbpasswd backend, tdbsam has numerous improvements that are explained in more detail in Section 20.8, “Samba Account Information Databases”. The passdb backend directive controls which backend is to be used for the PDC. 
[global] 
workgroup = DOCS 
netbios name = DOCS_SRV  
passdb backend = tdbsam 
security = user 
add user script = /usr/sbin/useradd -m %u 
delete user script = /usr/sbin/userdel -r %u 
add group script = /usr/sbin/groupadd %g  
delete group script = /usr/sbin/groupdel %g  
add user to group script = /usr/sbin/usermod -G %g %u 
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null  -g machines %u 
# The following specifies the default logon script  
# Per user logon scripts can be specified in the user 
# account using pdbedit logon script = logon.bat 
# This sets the default profile path. 
# Set per user paths with pdbedit 
logon drive = H: 
domain logons = Yes 
os level = 35 
preferred master = Yes 
domain master = Yes  
[homes] 
	comment = Home Directories 
	valid users = %S 
	read only = No  
[netlogon] 
	comment = Network Logon Service 
	path = /var/lib/samba/netlogon/scripts 
	browseable = No	 
	read only = No
# For profiles to work, create a user directory under the 
# path shown. 
mkdir -p /var/lib/samba/profiles/john 
[Profiles] 
	comment = Roaming Profile Share 
	path = /var/lib/samba/profiles 
	read only = No 
	browseable = No 
	guest ok = Yes 
	profile acls = Yes  
# Other resource shares ... ...

Note

If you need more than one domain controller or have more than 250 users, do not use a tdbsam authentication backend. LDAP is recommended in these cases.