Using Samba3.0 to easily handle PDC domain servers

Article Title: Use Samba3.0 to easily handle PDC domain servers. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
1. Install samba. If you are a fedora, you can directly install the samba rpm package from the CD.
　　
Rpm-ivh samba-3.0.0-15.i386.rpm
　　
You can also download the latest software package directly to samba's official website (http://www.samba.org ).
　　
Or download the latest tar package, http://us1.samba.org/samba/ftp/samba-3.0.0.tar.gz
　　
Then it is best to compile it according to the following method.
　　
Tar zvxf samba-3.0.0.tar.gz
　　
Cd samba-3.0.0
　　
. /Configure -- prefix =/usr -- bindir =/usr/bin -- sbindir =/usr/sbin -- libexecdir =/usr/libexec -- datadir =/usr/share/samba -- sysconfdir = /etc/samba -- localstatedir =/usr/local/samba/var -- libdir =/usr/lib -- with-lockdir =/var/locks/samba -- with-swatdir =/usr /share/samba/swat -- with-codepagedir =/etc/samba/codepages -- with-configdir =/etc/samba -- with-smbwrapper -- with-automount -- with-smbmount -- -pam -- with-pam_smbpass -- with-winbind
　　
Make
　　
Make intall
　　
OK! After the installation, the following is our focus. Modify/etc/samba/smb. conf. You 'd better modify it based on the original one.
　　
[Global]
　　
Workgroup = bmit
Netbios name = proxy
Server string = Samba PDC running % v
Socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF = 8192 SO_RCVBUF = 8192
　　
# Here, workgroup = bmit indicates the bmit domain. Of course, if bmit.com is used, it is more standard, but it is better to directly bmit for the convenience of client input, netbios name = proxy indicates the netbios name of the server, and the socket options Option sets to control the TCP/IP performance. The displayed settings can work well with the Linux-based system.
　　
OS level = 64
Preferred master = yes
Local master = yes
Domain master = yes
　　
# The domain master option is a "Switch", and Samba will become the master domain controller. (Local master browser) is a server that maintains the LAN machine list. It is called the local host browser.
　　
Security = user
Encrypt passwords = yes
Domain logons = yes
Log file =/var/log/samba/log. % m
Log level = 2
Max log size = 50
Hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0
　　
# Here we still use the user authentication method. Do not stick to the so-called domain. As for hosts allow, you can write those network segments as needed to access your server, or simply leave them empty.
　　
Logon home =\\ % L \ % U \. profile
Logon drive = H:
Logon path =\\ % L \ profiles \ % U
Logon script = netlogon. bat
　　
# The above is the roaming settings and logon script. logon path =\\ % L \ profiles \ % U will share the [profiles] to the corresponding link below.
　　
[Homes]
Comment = Home Directories
Browseable = no
Writeable = yes
　　
[Profiles]
Path =/home/samba/profiles
Writeable = yes
Browseable = no
Create mask = 0600
Directory mask = 0700
　　
[Netlogon]
Comment = Network Logon Service
Path =/home/netlogon
Read only = yes
Browseable = no
Write list = root
　　
The above is about the shared wrist, where profile is used to store the setting file of each login user, so that the user can log on later to read the previous desktop settings from the server, netlogon is used to store the login script, therefore, you must restrict the write permission. Assume that only the root user can have the permission.
　　
As for other sharing, you can refer to the "Samba3.0 server practice debugging" (http://www.5ilinux.com/samba.html) This article sharing settings, I will not repeat it
　　
Then, add the user and machine account to the domain controller.
　　
Create the following groups and create two necessary directories, and set the correct ownership.
　　
Groupadd admin
　　
Groupadd machines
　　
Mkdir-m 0775/home/netlogon
　　
Chown root. admins/home/netlogon
　　
Mkdir/home/samba/profiles
　　
Chown 1757/home/samba/profiles.
　　
Setting the correct permissions and ownership for the above directories is a key step to protect the server :)
　　
Manually add a machine account
　　
For example, if the machine name of my client is ibm240, we can do this.
　　
Useradd-g machines-d/dev/null-c "machine id"-s/bin/false ibm240 $
　　
Passwd-l ibm240 $
　　
Enter the password twice;
　　
Do not forget to mark the dollar sign; this is required and it marks this item as a trusted account
　　
After creating a linux Account, we can now add this machine to/etc/samba/smbpasswd
　　
Smbpasswd-a-m ibm240
　　
Of course, you can also ask the system to automatically add a machine account. Use the following method, but you 'd better try to manually add it first, and then test the system to automatically add
　　
Add automatically as long as you add in [global]
　　
Add user script =/usr/sbin/useradd-d/dev/null-g machines-s/bin/false-M % u
　　
Add User Account
　　
First, add the root account to the smb account.
　　
Smbpasswd-c root
　　
This step is very important, because the subsequent access to the domain requires the permission to access the domain with the administrator account. Otherwise, it seems that the access to the domain is not successful for common users.
　　
Then add a common user
　　
Useradd frank
　　
Passwd frank
　　
Smbpasswd-a frank
　　
To facilitate future management, we recommend that you use the same smb User Password as the unix system password, so that we can also use the password synchronization function of samba.
　　
# The option statement below will allow users to change their Samba password from a Windows client, so that their UNIX password will be updated immediately to match the new Samba item. However, if you change the UNIX password, the same technology cannot work in reverse order. You must manually change the Samba password. It is also in [global]. Beginners can not do this job first.
　　
Unix password sync = yes
Passwd program =/usr/bin/passwd % u
Passwd chat = * New * UNIX * password * % n \ n * Retype * new * UNIX * password * % n \ n * Enter * new * UNIX * password * % n \ n * Retype * new * UNIX * password * % n \ n * passwd: * all * authentication * tokens * updated * successfully *
　　
# The only thing worth mentioning in the above statement is the passwd chat option. Whatever it is displayed here, you must enter it as a line. Note that some options use "password", while others use "passwd ".
　　
The configuration of Samba PDC is completed in this way. The only thing to do is to add the client to the domain. Restart the samba service!
　　
Client settings. Due to restrictions, I only tried to add Windows clients to the domain. As for winxp and win98, I joined everyone to perform the test.
　　
(It is recommended that you restart the win200 machine to avoid unnecessary problems.) then go to the control panel> network ID. if the machine is currently configured under the workgroup option, select the single-choice domain button and enter the domain name bmit.
　　
Now, log on to the domain using the username root and the corresponding password. You must initialize the "secret" between the server and the client machine ". From this point on, any authenticated user can log on from this machine.
There should be a message that welcomes you to the XX domain.
　　
Congratulations, you have successfully configured samba to PDC.
　　
It is said that the domain created by xp to be added to samba is a little complicated. I have never tried it. If you are interested, you 'd better go to samba's hometown to check the document. It seems that you want to set security options and modify the registry, it's troublesome. Fortunately, I don't have xp :)