SAMBA 3 Helper

This web page is primarily for setting up Samba 3 on a BSD or Linux computer as a 'Classic' primary domain controller (and as such, may be a bit out of date). If you simply want to share files and printers with windows machines on your network, using Samba 3 or Samba 4, most of the things on this page will still be relevant to you. However, you will need to make changes to a few of the 'smb.conf' entries, such as security, local master, domain master, preferred master, domain logons, wins support, dns proxy, msdfs root, and host msdfs. These entries would typically be removed from smb.conf so that the default values will apply.

Setting up SAMBA 3 for a Domain Controller is a bit more difficult than setting up DHCP or DNS, or CUPS (for printing). But in order to get it 'up and running' as quickly as possible, you can follow the general instructions on this web page, which are intended as a quick 'how to' guide for Samba 3 as a Domain Controller. All of the necessary files for setting up a Samba-based domain controller for FreeBSD are included 'in line' and may be 'clipped out' and used as you see fit. For other operating systems, such as Linux, you may need to edit them slightly to get them to work. In particular, the shell scripts make use of the 'pw' application to add and modify users and groups, which is specific to FreeBSD.
Additional information can be found in the Samba documentation, which is installed in the local documentation tree on your computer, specifically the file 'samba/howto/FastStart.html' under the heading of 'Domain Controller'.

Additional on-line documentation may also be found HERE.

The following is a 'short list' of the things that need to be accomplished using the sample files, plus some additional information. The first step, of course, is to install the latest version of Samba 3 on your computer. Following that, you should do each of these steps in the order specified.

1. modify and add the contents of the sample 'group' file to the /etc/group file on your system. You will need to check for 'overlap' to make sure that no duplicate groups (or duplicate group ID's) already exist in the file.
   
2. Add the user 'administrator' using the appropriate utility (such as 'adduser'), and using the 'samba' group as the primary group. Then, add it to the wheel group.
3. Copy the 'smb-' scripts into the /usr/local/sbin/ directory, and mark them 'executable'. This can be done using 'chmod 555' on each of them.
4. Copy the 'samba_dns_update' script to /usr/local/sbin/, and mark it 'executable'.
5. modify 'smb.conf', specifically those entries that contain the following:
   
   1. the IP address '192.168.1.1'
   2. The domain name 'WORKGROUP.local'
   3. The machine name 'FreeBSDServer'
   Then, copy the 'smb.conf' file into the appropriate location. On FreeBSD, this would be /usr/local/etc/smb.conf .
6. Create a directory /usr/local/lib/samba/profiles/, make it world-writable
7. Create a directory /usr/local/lib/samba/drivers/, make it world-readable
8. Create a directory /usr/local/lib/samba/netlogon/, make it world-writable
9. Start Samba (or re-start the system). Once Samba is up and running, perform the following:
   
   1. Run the script 'mapgroup.sh'.
   2. smbpasswd -a root (and enter root password)
   3. smbpasswd -a administrator (and enter administrator password)
10. If necessary, perform the following manually
    1. add a machine to the domain by first creating a user 'machinename$' (where 'machinename' is the NETBIOS name of the machine) as a member of the group 'machines'. The 'smb-add-machine' script should perform this action.
    2. use smbpasswd -m machinename$ to make it 'official'.

At this point, so long as DHCP, DNS, and CUPS are correctly configured, your Samba installation should allow your UNIX® or Linux server to operate as a Primary Domain Controller (PDC) and DHCP server for your network.

The Files

The contents of the various files are shown here. You can 'clip' the text out of the html text and paste it into the appropriately named file, modifying the text as needed for your operating system, machine name, domain name, and network settings.

smb.conf

#======================= Global Settings =====================================
[global]
# modify these for your domain name   
   workgroup = WORKGROUP.local
   realm = WORKGROUP.local
# modify these for your server name   
   netbios name = FreeBSDServer
   server string = FreeBSDServer Domain Controller for WORKGROUP.local

# modify these next entries for your IP address and netmask.  The settings
# below reflects 192.168.1/24 and 127/8, with IP addres 192.168.1.1 and 127.0.0.1
   hosts allow = 192.168.1. 127.
   socket address = 192.168.1.1 127.0.0.1

# setting up as a domain controller.  'man smb.conf' for explanation
   security = user
   local master = yes
   domain master = yes 
   preferred master = yes
   domain logons = yes
   wins support = yes
   dns proxy = yes 
   os level = 33
   msdfs root = yes
   host msdfs = yes
   obey pam restrictions = yes
   time server = yes
   # force LM announcements every 2 minutes
   lm announce = yes
   lm interval = 120

   # global file masks
   directory mask = 0777
   force directory mode = 0555
   create mask = 0666
   force create mode = 0444

   # name resolution
   name resolve order = wins bcast


# printers - configured to use CUPS and automatically load them

   load printers = yes
   printcap name = cups
   printing = cups


# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.
# if you want to have a backup domain controller, or participate
# as part of a larger domain, you will need to use 'ldapsam' and
# do some additional configuration.
;   passdb backend = ldapsam
    passdb backend = tdbsam

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;   guest account = pcguest

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
#       this line.  The included file is read at that point.
;   include = /usr/local/etc/smb.conf.%m


# scripts invoked by Samba

# These scripts are used on a domain controller or stand-alone 
# machine to add or delete corresponding unix accounts;
# NOTE:  the original entries are commented out.  They may be valid on
#        some operating systems.  The ones not commented out invoke the
#        script files that are copied to '/usr/local/sbin'.  You should
#        update this section based upon the requirements of your OS.
#
;   add user script = /usr/sbin/useradd %u
;   add group script = /usr/sbin/groupadd %g
;   add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
;   delete user script = /usr/sbin/userdel %u
;   delete user from group script = /usr/sbin/deluser %u %g
;   delete group script = /usr/sbin/groupdel %g
    add user script = /usr/local/sbin/smb-add-user %u
    add group script = /usr/local/sbin/smb-add-group %g
    add machine script = /usr/local/sbin/smb-add-machine %u
    add user to group script = /usr/local/sbin/smb-add-user-group %u %g
    delete user script = /usr/local/sbin/smb-rm-user %u
    delete user from group script = /usr/local/sbin/smb-rm-user-group %u %g
    delete group script = /usr/local/sbin/smb-rm-group %g

# 'wins hook' script - call to 'nsupdate' to update DNS automatically
    wins hook = /usr/local/sbin/samba_dns_update


# log files

# this tells Samba to use a separate log file for each machine
# that connects
    log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
    max log size = 50


# login scripts

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat


# user profiles (default is sufficient, see 'profiles' share)

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
    logon path = \\%L\Profiles\%U


# socket options
   
# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
    socket options = TCP_NODELAY



#============================ Share Definitions ==============================

# netlogon directory, necessary for Domain Logons
[netlogon]
   comment = Network Logon Service
   path = /usr/local/lib/samba/netlogon
   guest ok = yes
   writable = no
   share modes = no

# 'Roving Profile' share (in lieu of the user's home directory)
[Profiles]
    path = /usr/local/lib/samba/profiles
    browseable = no
    guest ok = yes
    writable = yes

# 'printers' share (no need to individually declare them if the printers
# are being automatically loaded and CUPS is properly configured)
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = yes
   writable = no
   printable = yes
   printer admin = @wheel

# path to printer drivers (see CUPS documentation)
[print$]
   comment = Printer Drivers
   path = /usr/local/lib/samba/drivers
   browseable = yes
   guest ok = yes
   writable = no
   printable = no

group

You will need to add the following text to the end of the '/etc/group' file. Make sure that there are no overlaps with names or ID's for any existing groups. You can edit the group ID's as needed.
(You should also change 'WORKGROUP' to the name of your domain, or else remove it if you do not want a group that represents the domain)

# these group entries need to be added to the '/etc/group' file
#
# samba requires a 'machines' group equal to 100
machines:*:100:
# locally defined groups.  the first is the domain group 'WORKGROUP'
# you should change this depending upon the domain
WORKGROUP:*:1001:
# group added for 'dhcpd'
dhcpd:*:1002:
# group added for 'samba' (default for all new Samba users)
samba:*:1003:administrator,root
# additional 'operator' groups for Samba - print, account, backup
print:*:1004:
account:*:1005:
backup:*:1006:

mapgroup.sh

The following script will associate the various 'Samba' groups (compatible with Windows) with UNIX groups defind in the '/etc/group' file. Some of the examples were left 'as-is' and commented out, using examples obtained from the Samba documentation. Additional information as comments has been placed at the end of the script in order to document the correct 'RID' values, should you need to re-create the groups yourself.
(You should make sure that each of the groups referenced in the script actually exist, and add them to the '/etc/group' file if they do not).

#!/bin/sh
#### Keep this as a shell script for future re-use
			
# assign well known groups for the domain
# net groupmap add ntgroup="Domain Admins" unixgroup=wheel  type=d rid=512
# net groupmap add ntgroup="Domain Users"  unixgroup=samba  type=d rid=513
# net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d rid=514

net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
net groupmap modify ntgroup="Domain Users"  unixgroup=samba
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

# now, do the local groups.  Change 'WORKGROUP' to the group that is
# associated with the domain name.
net groupmap modify ntgroup="Administrators"    unixgroup=wheel
net groupmap modify ntgroup="Users"             unixgroup=samba
net groupmap modify ntgroup="Guests"            unixgroup=guest
net groupmap modify ntgroup="Power Users"       unixgroup=WORKGROUP
net groupmap modify ntgroup="Account Operators" unixgroup=account
net groupmap modify ntgroup="System Operators"  unixgroup=operator
net groupmap modify ntgroup="Print Operators"   unixgroup=print
net groupmap modify ntgroup="Backup Operators"  unixgroup=backup
net groupmap modify ntgroup="Replicators"       unixgroup=staff

# list of domain groups and RID's
# Domain Admins      200H
# Domain Users       201H
# Domain Guests      202H

# list of local groups
# Administrators      26
# Users               27
# Guests              28
# Power Users         29
# Account Operators   30
# System Operators    31
# Print Operators     32
# Backup Operators    33
# Replicators         34

samba_dns_update

This script is called by Samba to automatically update DNS. You should modify it as necessary for your system, and change the 'WORKGROUP.local' and IP address information accordingly.

#!/bin/sh
#
# Example script for "wins hook".  This attempts to update the DNS with
# new A records for the NETBIOS name that Samba passes us. We do this
# the simple way, by deleting all DNS records for the name and then
# readding all the expected 'A' records.
#
# Written by Stephen Rothwell 
#

#
# Configurable things
#
# The domain in which to create names
#   YOU MUST CHANGE THIS
# N.B. include the trailing dot
#
# It is a good idea to use a subdomain of your primary domain to ensure
# that rogue machines can't take over (or delete) important names on
# your network.
DOMAIN=WORKGROUP.local.

#
# The DNS TTL to give the records (in seconds)
#
TTL=3600
#
# NETBIOS name types that we want to create DNS records for:
#	20 is server
#	00 is workstation
#	03 is user
#
USEFUL_TYPES="20 00 03"
#
# The name of a cache file to use to avoid continual updates
# of the same name and IP addresses.  If you comment this out
# then the cache is not kept at all.
#
#CACHE_FILE=/usr/local/samba/var/wins_update.cache

if [ $# -lt 4 ]; then
	echo "Usage: $0 op name type ttl [ip_addr ...]" 1>&2
	echo "       op is one of add, refresh, delete" 1>&2
	echo "       name is the NETBIOS name" 1>&2
	echo "       type is the NETBIOS name type" 1>&2
	echo "       ttl is the NETBIOS time to live" 1>&2
	echo "       ip_addr's are the remaining IP addresses for this name" 1>&2
	exit 1
fi

NSUPDATE=`which nsupdate`
[ -x "$NSUPDATE" ] || NSUPDATE=/usr/bin/nsupdate
[ -x "$NSUPDATE" ] || NSUPDATE=/sbin/nsupdate
[ -x "$NSUPDATE" ] || NSUPDATE=/usr/sbin/nsupdate
[ -x "$NSUPDATE" ] || {
	echo "Cannot find nsupdate." 1>&2
	exit 1
}

OP=$1
NAME=$2
TYPE=$3
WINS_TTL=$4
shift 4
IP_ADDRS="$@"

do_update=0
for i in $USEFUL_TYPES
do
	[ "$TYPE" = "$i" ] && do_update=1
done
[ $do_update = 1 ] || exit 0

if [ -n "$CACHE_FILE" ]; then
	if [ -r "$CACHE_FILE" ]; then
		fgrep -q -x -i "$NAME $IP_ADDRS" "$CACHE_FILE" &&
			exit 0
		grep -v -i "^$NAME " "$CACHE_FILE" >"$CACHE_FILE".$$
	fi
	echo "$NAME $IP_ADDRS" >>"$CACHE_FILE".$$
	mv "$CACHE_FILE" "$CACHE_FILE".old 2>/dev/null
	mv "$CACHE_FILE".$$ "$CACHE_FILE"
fi

{
	echo update delete $NAME.$DOMAIN
	for i in $IP_ADDRS
	do
		echo update add $NAME.$DOMAIN $TTL A $i
	done
	echo
} 2>/dev/null | $NSUPDATE >/dev/null 2>&1 &

exit 0

smb-add-group

Script called by Samba to add a group. Modify this for your system, as needed.

#!/bin/sh
# called by samba to add a group

echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

x=`pw groupnext`
if $( test ! -n "$x" )
then
  echo "unable to get next group ID";
else 
  if $( test -n "$1" )
  then
    pw groupadd -n $1 -g $x ;
  fi
fi

smb-add-machine

Script called by Samba to add a machine, by adding a user to the 'machines' group. Modify this for your system, as needed. If this script does not function correctly, you will not be able to join a domain without manually adding the machine as a user, both to the UNIX password database and the Samba password database.

#!/bin/sh
# called by samba to add a machine as a special user

echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

x=`pw usernext`
if $( test ! -n "$x" )
then
  echo "unable to get next user ID";
else 
  if $( test -n "$1" )
  then
    pw useradd -q -n $1 -u $x -d /dev/null -s /sbin/nologin -g machines ;
  fi
fi

smb-add-user

Script called by Samba to add a user. Modify this for your system, as needed.

#!/bin/sh
# called by samba to add a user

echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

x=`pw usernext`
if $( test ! -n "$x" )
then
  echo "unable to get next user ID";
else 
  if $( test -n "$1" )
  then
    pw useradd -q -n $1 -u $x -d /dev/null -s /sbin/nologin -g samba ;
  fi
fi

smb-add-user-group

Script called by Samba to add a user to a group. Modify this for your system, as needed.

#!/bin/sh -f
# the '-f' parameter prevents file name expansion

echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

if ( test -n "$1" )
then
  if ( test -z "$2" )
  then
    echo "missing group name";  
  else
    x=`pw groupshow -n $2 | sed s/:/,/g ` ;
    y=1
    u="$1"
    g="$2"
    m=
    IFS=,
    c=""

    for i in $x ; do
      if ( test $y -gt 3 ) 
      then
        if ( test "$u" = "$i" )
        then
          exit 1;
        fi
      fi
      y=$(expr $y + 1)
    done

    unset IFS

    pw groupmod -n $g -m $u ;

  fi
fi

smb-rm-group

Script called by Samba to remove a group. Modify this for your system, as needed.

#!/bin/sh
# called by samba to delete a user

echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

if $( test -n "$1" )
then
  pw groupdel -n $1;
fi

smb-rm-user

Script called by Samba to remove a user. Modify this for your system, as needed.

#!/bin/sh
# called by samba to delete a user

echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

if $( test -n "$1" )
then
  pw userdel -n $1;
fi

smb-rm-user-group

Script called by Samba to remove a user from a group. Modify this for your system, as needed.
(I am rather proud of this script, actually, being one of the more creative things I've done recently)

#!/bin/sh -f
# the '-f' parameter prevents file name expansion

echo `date` "/bin/sh" $- $0 "$@" >>/var/log/smb.user.group.log

if ( test -n "$1" )
then
  if ( test -z "$2" )
  then
    echo "missing group name";  
  else
    x=`pw groupshow -n $2 | sed s/:/,/g ` ;
    y=1
    u="$1"
    g="$2"
    m=""
    IFS=,
    c=""

    for i in $x ; do
      if ( test $y -gt 3 ) 
      then
        if ( test "$u" = "$i" )
        then
          c="pw groupmod -n $g -M";
        elif ( test -z "$m")
        then
          m="$i";
        else
          m="$m,$i";
        fi
      fi
      y=$(expr $y + 1)
    done

    unset IFS
    if ( test -n "$c" )
    then
      eval $c $m ;
    fi
  fi
fi

Additional Configuration

Of course, you will need to add shares to your 'smb.conf' file, but this should be relatively straightforward. For more information you can use 'man smb.conf' or look at the sample 'smb.conf' file that was installed when you installed Samba. The shares that were put into the 'smb.conf' sample, above, are the minimum required to get the system running properly. Still, they can serve as examples for setting up your own shares. A few were commented out that demonstrate typical read/write shares. If you want to set up access lists, make the shares unlistable or read-only, you should check the documentation on Samba and smb.conf for information on how to do that. The point of the files here is to "get you started" and not be a general guide for administering your system.

Backing Up your Configuration

It is VERY VERY IMPORTANT that you back up your system configuration as often as you can. Samba, like any software, is not perfect, and files can occasionally become corrupted for a number of reasons, including power outages. Because this is a domain controller, you should back your initial configuration at the very least, and each time you add a workstation or a user to the system. This way, if the database becomes corrupt or loses data, you can restore everything without having to 'rejoin the domain' on every workstation. The configuration nightmare of THAT scenario is not something I'd wish upon anyone. And this goes double if you are using the 'TDB' system rather than LDAP (or if you are using LDAP without a backup domain controller to restore from).

If you are using the TDB method (the default) to store the configuration data, you should make sure you shut down 'smbd' and 'nmbd' before you back up the data. To do this, you can use the following commands:
    smbcontrol nmbd shutdown
    smbcontrol smbd shutdown
This will shut down all running instances of nmbd and smbd. Next, you need to know where all of the files are stored. If you enter 'man tdbbackup' you will get a hint of where they MIGHT be, but this is sometimes less than helpful. However, on a FreeBSD system, the files you are interested in are located in the following directories:
    /var/db/samba
    /usr/local/private
Again, on your system it may differ slightly (see 'man tdbbackup'). Once you have located the files, backing them up is as changing to the appropriate directory, and entering the following command:
    tdbbackup *.tdb
This will generate a group of files with '.bak' extensions that are backups of the TDB files in the directory. Using the same application you can also verify AND automatically restore any backed up tdb files.

Since the password information is stored in the 'private' directory ('/usr/local/private' on a FreeBSD system), it is extremely important that you back THIS up. Not making a backup of the password information for a domain controller might mean a weekend or all-night stay at 'the office' re-configuring everybody's workstation for the 'new' domain because when you re-initialize a domain controller, all of the security ID's change, and windows machines will recognize that as a DIFFERENT domain, and all of the user settings for the OLD logon will be lost, and though you can recover them with a little creativity, it's not the easiest process in the world, and requires knowledge of the registry, re-assignment of security settings. and some creativity in 'hacking' certain registry entries. But someday I might write an application to do just this. It IS something that can be rather painful to deal with if your domain controller ever goes down, and you have to create a new one. And I've seen this happen before.
NOTE:  The procedure to recover user settings after a domain crash on a Windows 2000 or XP workstation can be found HERE.

Additional SAMBA-related Links