Gentoo Wiki


Please improve it in any way that you see fit, and remove this notice {{Cleanup}} from the article. For tips on cleaning and formatting see Cleanup process



This article will cover adding a Gentoo system to a Windows NT Style Domain as a Member Server. After this wiki you should be able to browse shares as well as set Domain user privileges to them as if the Gentoo system were a windows system. Thanks for looking.I hope it helps some one.

Installing Components

Here's what you'll need Kernel support for acls.

Your going to need to enable 2 flags for this wiki to work. We'll ask emerge. In a terminal type:

Code: Flipping the Switches
root # emerge -pv samba

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild  N    ] net-fs/samba-3.0.10  -acl +cups -debug 
-doc -kerberos -ldap -libclamav -mysql -oav +pam 
-postgres +python -quotas +readline (-selinux) -winbind 
-xml +xml2 14,821 kB

Total size of downloads: 14,821 kB

We are mostly concerned with -acl and -winbind. Acl will allow us to manipulate user and group permissions while winbind will allow samba to talk to your Samba or NT PDC about what Users and groups are available.

Note: The kerberos use flag may be required to join to a Windows Server 2003 domain. If you do not enable this, you may get errors containing "NT_STATUS_INVALID_COMPUTER_NAME" or errors about kerberos or signing.

So lets enable them with echo "net-fs/samba acl winbind" >> /etc/portage/package.use

Code: Enable acl's and winbind
root # echo "net-fs/samba acl winbind" >> /etc/portage/package.use
root # emerge -pv samba

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild  N    ] sys-apps/attr-2.4.19  -debug +nls 101 kB
[ebuild  N    ] sys-apps/acl-2.2.27  -debug +nls 141 kB
[ebuild  N    ] net-fs/samba-3.0.10  +acl +cups -debug -doc -kerberos -ldap -lib
clamav -mysql -oav +pam -postgres +python -quotas +readline (-selinux) +winbind
-xml +xml2 14,821 kB

Total size of downloads: 15,063 kB

Code: Building the beast!!
root # emerge samba

This will take a while depending on your internet connection and bogomips. :)

Configure the server

While the server is building take a look at this smb.conf. This is the template I use at most of the server I configure. The options are just a little different than that of a Samba PDC but that's another story.

File: smb.conf
#-------[ Net Hood Settings ]
        workgroup = WORKGROUP or DOMAIN
        netbios name = SERVER_NAME
        server string = SERVE_COMMENT
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 IPTOS_LOWDELAY

#-------[ Log Level ]
        log level = 2

#-------[ Server Role Settings ]
        security = DOMAIN
        password server = YOUR PDC
        encrypt passwords = true

#-------[NT ACL Compatability]
        nt acl support = true
        create mode = 0644
        directory mode = 0755

#-------[ Winbind communication ]
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        winbind use default domain = Yes
        winbind enum users = Yes
        winbind enum groups = Yes

#-------[ Printserver information ]
        printcap name = cups
        disable spoolss = yes
        show add printer wizard = no
        printing = cups
        security mask = 0777

#-------[ Shares ]
        path = /PATH/TO/SHARE
        comment = COMMENT ABOUT SHARE
        browseable = yes
        writeable = yes
        inherit permissions = Yes
        inherit acls = yes
        create mask = 0644
        guest ok = no
        security mask = 0777

Now that you have the smb.conf tweaked and the server's compiled you need to edit your /etc/fstab so that the file system can use acl's. You can mess up your system so I don't recommend applying acl's to your / or system partitions. On my servers I used a completely separate disk.

File: /etc/fstab
# /etc/fstab: static file system information.
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/hda1       /               ext3    defaults,errors=remount-ro 0       1
/dev/hda5       none            swap    sw              0       0
/dev/hdc        /mnt/cdrom0   iso9660 ro,user,noauto    0       0
/dev/fd0        /mnt/floppy0  auto    rw,user,noauto    0       0

/dev/hde        /mnt/warehouse  ext3  defaults,acl    0       0
/dev/hdf        /mnt/library    ext2  defaults,acl    0       0
/dev/hdh        /mnt/webserver  ext3  defaults,acl    0       0
/dev/hdg        /mnt/warehouse2 ext3  defaults,acl    0       0

Just add acl to each of the partitions in the <options> sections. now just umount /mnt/partition then mount /mnt/partition

Name Resolution

A cool way to get name resolution without using DNS or tweaking the /etc/hosts file every 15 minutes is to tweak the /etc/nsswitch.conf. You'll also need to add winbind after passwd and group and for name resolution add wins after files in the hosts line.

File: /etc/nsswitch.conf
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files wins dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

You should be able to ping by netbois name!

You can add Samba to the default run-level so that it starts on boot: rc-update add samba default

Then join the domain: net rpc join -Uroot%'passwd'

Start winbind: winbindd -B

To start winbind automatically, and winbind to the "daemon_list" in /etc/conf.d/samba.

Restart Samba: /etc/init.d/samba restart

Code: Grab users from the PDC
wbinfo -u
wbinfo -g
getent passwd
getent group

You should see some users that dont exists in your /etc/passwd. If wbinfo -u shows the domain users you're expecting, but getent passwd doesn't, check to make sure winbind enumeration is enabled in your /etc/samba/smb.conf, as it's disabled by default in recent Samba versions:

File: smb.conf
        winbind enum users = Yes
        winbind enum groups = Yes

Code: Set the baseline permissions.
chmod -R 770 /mnt/partition
# Then I like to chown -R <adminish user>:<nt group> /mnt/dir
groups DOMAIN\\Domain_Account
# If this returns a group with a space, such as Domain Users, surround it with quotes.
chown -R DOMAIN\\Domain_Account:"Domain Users" /mnt/partition

getfacl gets the file access control list of a file or directory:

Code: Using ACL's
kevlar store # getfacl ../store
# file: ../store
# owner: root
# group: lanusers

To modify the permissions of this file you can use the windows security tab or you can use setfacl. Say I want to add emily as a user to the folder with rwx: setfacl -R -m u:emily:rwx /mnt/dir

Code: See the results
kevlar mnt # getfacl store
# file: store
# owner: root
# group: lanusers

You can add groups too: just change the u:<name> to g:group.

Retrieved from ""

Last modified: Mon, 04 Aug 2008 09:52:00 +0000 Hits: 24,099