Samba PDC -=-=-=-=- For a flat file samba pdc, use the following smb.conf extract: [global] encrypt passwords = yes local master = yes os level = 64 domain master = yes preferred master = yes domain logons = yes logon path = \\%N\profiles\%u logon drive = H: logon home = \\morris\%u logon script = logon.cmd add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u domain admin group = root @sysadmin [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writable = no share modes = no ; share for storing user profiles [profiles] path = /home/samba/profiles read only = no create mask = 0600 directory mask = 0700 Profiles share must be writeable by users. Logon.cmd in netlogon share is dos batch file. Create a smbpasswd file by: # cat /etc/passwd | /usr/sbin/mksmbpasswd > /etc/samba/smbpasswd LDAP Extensions -=-=-=-=-=-=-=- See http://samba.idealx.org/samba-ldap-howto.pdf for more details. Compile samba with the --with-ldapsam config option. smb.conf additions (to above): domain admin group = root administrator @"Domain Admins" ldap suffix = dc=pisoftware,dc=com ldap admin dn = cn=Manager,dc=pisoftware,dc=com ldap port = 389 ldap server = 127.0.0.1 ldap ssl = no add user script = /usr/local/sbin/smbldap-useradd.pl -w %u Copy the samba schema file (included with the samba distribution) and ensure you have something like the following lines in your slapd.conf: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema Define your backend database something like: database ldbm suffix "dc=pisoftware,dc=com" directory "/var/lib/ldap" # Indexing options index objectClass eq # Indices to maintain for samba ## support pbb_getsampwnam() index uid pres,eq ## support pdb_getsampwrid() index rid eq ## uncomment these if you are storing posixAccount and ## posixGroup entries in the directory as well index uidNumber eq index gidNumber eq index memberUid eq index cn,mail,surname,givenname eq,subinitial # Save the time that the entry gets modified lastmod on rootdn cn=Manager,dc=pisoftware,dc=com rootpw Include the following ldif in your OpenLDAP server: --- begin ldif --- dn: dc=pisoftware,dc=com objectClass: domain dc: Plugged In Software dn: ou=Groups,dc=pisoftware,dc=com objectClass: top objectClass: organizationalUnit ou: Groups description: System Groups dn: ou=Users,dc=pisoftware,dc=com objectClass: top objectClass: organizationalUnit ou: Users description: Users of the Organization dn: ou=Computers,dc=pisoftware,dc=com objectClass: top objectClass: organizationalUnit ou: Computers description: Windows Domain Computers dn: cn=Domain Admins,ou=Groups,dc=pisoftware,dc=com objectClass: posixGroup gidNumber: 200 cn: Domain Admins memberUid: administrator description: Windows Domain Users dn: cn=Domain Users,ou=Groups,dc=pisoftware,dc=com objectClass: posixGroup gidNumber: 201 cn: Domain Users description: Windows Domain Users dn: cn=Domain Guests,ou=Groups,dc=pisoftware,dc=com objectClass: posixGroup gidNumber: 202 cn: Domain Guests description: Windows Domain Guests Users dn: cn=Administrators,ou=Groups,dc=pisoftware,dc=com description: Members can fully administer the computer/domain objectClass: posixGroup gidNumber: 220 cn: Administrators description: Windows Domain Members can fully administer the computer/domain dn: cn=Users,ou=Groups,dc=pisoftware,dc=com description: Ordinary users objectClass: posixGroup gidNumber: 221 cn: Users description: Windows Domain Ordinary users dn: cn=Guests,ou=Groups,dc=pisoftware,dc=com description: Users granted guest access to the computer/domain objectClass: posixGroup gidNumber: 222 cn: Guests memberUid: nobody description: Windows Domain Users granted guest access to the computer/domain dn: cn=Power Users,ou=Groups,dc=pisoftware,dc=com description: Members can share directories and printers objectClass: posixGroup gidNumber: 223 cn: Power Users description: Windows Domain Members can share directories and printers dn: cn=Account Operators,ou=Groups,dc=pisoftware,dc=com objectClass: posixGroup gidNumber: 224 cn: Account Operators description: Windows Domain Users to manipulate users accounts dn: cn=Server Operators,ou=Groups,dc=pisoftware,dc=com objectClass: posixGroup gidNumber: 225 cn: Server Operators description: Windows Domain Server Operators dn: cn=Print Operators,ou=Groups,dc=pisoftware,dc=com objectClass: posixGroup gidNumber: 226 cn: Print Operators description: Windows Domain Print Operators dn: cn=Backup Operators,ou=Groups,dc=pisoftware,dc=com objectClass: posixGroup gidNumber: 227 cn: Backup Operators description: Windows Domain Members can bypass file security to back up files dn: cn=Replicator,ou=Groups,dc=pisoftware,dc=com description: Supports file replication in a domain objectClass: posixGroup gidNumber: 228 cn: Replicator description: Windows Domain Supports file replication in a domain --- end ldif --- Run: # smbpasswd -w where is the administrators (as specified by ldap admin dn above) password. Download and install the smbldap tools from http://samba.idealx.org/index.en.html Create a user by the following: $ sudo smbldap-useradd.pl -a username $ sudo smbldap-passwd.pl username Joining Samba PDC ================= Win95 -=-=- Go to Control Panel | Network | Configuration Click on Client for Microsoft Network | Properties In the General tab, tick the box in Logon Validation for Logon to Windows NT Domain and put the domain in the Windows NT Domain textbox Go to Control Panel | Passwords | User Profiles Select the setting that says users can customize their own profiles Reboot WinNT -=-=- Go to Control Panel | Network | Identification Click on Change, then choose Member Of Domain, and enter the domain Click on Create Computer Account in the Domain, then enter a domain admin username and password Reboot Win2k -=-=- Right click on My Computers | Properties Go to Network Identification | Properties Click on Member Of Domain, and input the domain you want to join Enter a username / password combination for a domain administrator Reboot Win2003 -=-=-=- Same as Win2k Needs the following registry patch: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "requiresignorseal"=dword:00000000 "signsecurechannel"=dword:00000000 To login as someone in the domain, choose the required domain in the pulldown To login as administrator, choose the local machines hostname as the domain