Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article



A Primary Domain Controller, or PDC, allows:

  1. users on a domain to authenticate against a central controller
  2. users to have roaming profiles
  3. login commands run at login based on login scripts that reside on the PDC.

This HOWTO focuses on how to implement Samba as the PDC for your domain. It was written with a Windows 2000/XP network in mind, but should work with any client version of Windows, though some extra client side settings may need to be configured.


What this HOWTO will do

  1. Allow Microsoft Windows (2000 and XP) clients to authenticate via your samba server
  2. Provide mapped drives (based on logon scripts)
  3. Execute a logon script
  4. Enable use of roaming profiles
Roaming profiles defined 
Microsoft Windows supports roaming user profiles, which allow certificates to follow users no matter which computer they use to log on. When roaming profiles are enabled, user profiles, including issued certificates and private keys, are stored on the domain controller. The roaming profiles are downloaded to the computer during the logon process for the user.

What this HOWTO will not do

  1. Configure your Samba server for print sharing (See Printing HOWTOs)
  2. Configure your Samba server for virus scanning (See HOWTO SAMBA-LDAP Domain Controller (with Real Time antivirus))
  3. Configure your Samba server for LDAP authentication

Step by Step

  1. Install Samba
  2. Configure Samba
  3. Configure your workstations
    1. Configure Windows 2000 workstations
    2. Configure Windows XP workstations
  4. More Samba configuration
  5. Final steps

Gentoo environment

System environment

This Samba PDC was compiled and configured on a stable x86 platform using kernel 2.6.10. CFLAGS and CHOST used are as follows:


-O2 -mcpu=i686 -pipe



Linux Kernel


It is assumed, if you wish to implement this HOWTO, that you have a fully functioning Gentoo Linux system and some basic knowledge of domain controllers.

The Linux Kernel

No special configuration is needed for the kernel.

Note: Make sure POSIX Access Control Lists are supported by the kernel on the relevant file system.

USE flags

There are a few choices that can be implemented for Samba authentication. The choices are kerberos, ldap and pam. Make sure you enable the correct flag, in this example, I use pam. I also enable the winbind flag to make use of winbind.

Other than enabling an authentication flag, all other flags are optional. I suggest learning more about each flag to better fit your needs. For printing and virus scanning, enable cups and oav respectively. In the file below, add the following variables to USE="":

File: /etc/make.conf
acl -cups -doc -kerberos -ldap -oav pam -python -quotas readline -selinux winbind

Alternatively, the best USE flag customisation can be done by editing /etc/portage/package.use. This is my method. My USE variable in /etc/make.conf is unset.

File: /etc/portage/package.use
net-fs/samba acl -cups -doc -kerberos -ldap -oav pam -python -quotas readline -selinux winbind

Optionally, if you have gentoolkit installed, you can enable/disable the above flags using the command euse. For more information on euse, see Euse.

Install Samba

This is probably the easiest step. It is good practice to always do a pretend/verbose before installing any package. This way you know what is going to be installed (focusing on dependencies, if any). Kick back for a while as it takes about 15-30 minutes to install Samba, depending on hardware/optimizations. It'll take longer if any dependencies need to be installed.

Code: Install Samba
# su
# emerge --sync
# emerge samba -av

Configure Samba

The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria.

The [global] service section

netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. This is also the DOMAIN you will work from if you are using one. server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view.

Note: DOMAIN in this context refers to a NetBIOS domain (workgroup), it's flat, non-hierarchical and shouldn't be confused with an Internet domain.

File: /etc/samba/smb.conf
netbios name = COMPUTER_NAME
workgroup = YOUR_DOMAIN
server string = PDC [on Gentoo :: Samba server %v]

hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the smb.conf file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests.

File: /etc/samba/smb.conf
hosts allow =
security = user
encrypt passwords = yes
interfaces = lo eth0
bind interfaces only = yes

To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. local master allows nmbd to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if nmbd is a preferred master browser for its workgroup.

File: /etc/samba/smb.conf
local master = yes
os level = 65
domain master = yes
preferred master = yes

null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files.

File: /etc/samba/smb.conf
null passwords = no
hide unreadable = yes
hide dot files = yes

domain logons dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They defined the server name and username (respectively). You may specify any drive letter as long as it does not conflict with other drives on your Win2k client.

For logon script, I personally use a static file name. Using %U will require a batch file for each user as %U == the username establishing the connection.

File: /etc/samba/smb.conf
domain logons = yes
logon script = login.bat  OR %U.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U\.9xprofile

wins support controls if the nmbd process in Samba will act as a WINS server. name resolve order is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

File: /etc/samba/smb.conf
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no

time server determines if nmbd advertises itself as a time server to Windows clients. log file option allows you to override the name of the Samba log file (also known as the debug file). max log size specifies the max size the log file should grow to. smb passwd file sets the path to the encrypted smbpasswd file. By default, the path to the smbpasswd file is compiled into Samba.

File: /etc/samba/smb.conf
time server = yes
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam

The following are parameters to assist you in adding/deleting users/machines from a client. Please refer to the O'Reilly book listed in the Resources section.

File: /etc/samba/smb.conf
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
#a nice replacement for above line:
#add machine script = /usr/sbin/useradd -d /dev/null -g 'machines' -c 'Machine Account' -s /bin/false '%u'
#you need to add a "machines" group to use it
passwd program = /usr/bin/passwd %u
passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

unix charset specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

File: /etc/samba/smb.conf
unix charset = ISO8859-1
#the default for this is UTF-8, best to leave it undefined unless your system is not UTF-8 enabled

The [SHARE_NAME] services section

This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it!

netlogon is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755).

 path = /var/lib/samba/netlogon
 guest ok = no
 read only = yes
 browseable = no

profiles is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 0755). Inside this directory is where you user profiles are located. Make sure the user profile directories themselves are owned by the user and group owned by users. Make sure user directories permission are 770 (chmod -R 0770).

 path = /var/lib/samba/profiles
 browseable = no
 writeable = yes
 default case = lower
 preserve case = no
 short preserve case = no
 case sensitive = no
 hide files = /desktop.ini/ntuser.ini/NTUSER.*/
 write list = @smbusers @root
 create mask = 0600
 directory mask = 0700
 csc policy = disable

homes defines the users home directory. Nothing special needs to be done to this directive or directory.

 path = /home/%U
 browseable = no
 valid users = %S
 read only = no
 guest ok = no
 inherit permissions = yes

public is only an example of one of my shares. You can define as many as you want. You can name them whatever you want. It does not have to be named [public].

 comment = Public Stuff
 path = /public
 public = yes
 read only = yes
 browseable = yes
 write list = @users

Adding users to Samba

The drawback to using Samba is that users have to be added twice. Once to your /etc/passwd and once to /var/lib/samba/private/smbpasswd or in /etc/samba/private/smbpasswd. I'm going to assume you already have a regular daily user so I'm going to skip the adduser Unix command. Obviously, and hopefully, root exists on your system.

Both of the following commands will prompt you for a password. My suggestion is keep your Samba root password the same as your Unix system root password. Applying the same to your user password. Keep things simple.

# smbpasswd -a your_user
# smbpasswd -a root

Configure Clients

Configure Windows 2000 clients

This is another simple step. Log into your Windows 2000 client locally as Administrator and add your client machine to your domain. This is achieved by right clicking My Computer => Properties => Network Identification => Properties button. You will be prompted for a username/password of an authorised domain user. You'll need to use your root account (the reason root was added to smbpasswd).

After changing your domain, you'll need to reboot (no surprise there). When it reboots, you'll have the fancy login screen with the nice little graphic instructing you to do a "ctrl-alt-del" to get to the actual login screen. If you only see fields for you username and password, click on the "Options" button and a domain dropdown will appear. Your choices should be "computer name\local" AND your new domain.

In order to employ roaming profiles, you need to establish a "Default Profile" on Samba. This requires you to copy the content of the hidden file C:\Documents and Settings\Default User to your samba server. You will need to copy it into the directory specified in your [netlogon] service. This way your users will have a default profile to log into (assuming the usage of roaming profiles).

I suggest making sure the latest service pack is installed.

After adding the client to the domain and rebooting, lets leave this screen as is. We'll come back to it later.

Configure Windows XP clients

You should start the process for Windows XP clients by a complete Windows Update. After the release of Service Pack 2, Microsoft Windows way of dealing with profile has changed a bit. You will need to start by login into your Windows XP client locally as Administrator and execute :


then, you must navigate to :

Local Computer Policy / Computer Configuration / Administrative Templates / System / User Profiles

and change the setting of the key 'Do not check for user ownership of Roaming Profile Folders' from 'Not Configured' to 'Enable'. If that key is not present, you should try visiting Windows Update again. Then you can use 'File / Exit'. This is needed because WinXP actually checks ACL Permission in your profile file system (which isn't really that easy to develop under *NIX). Once this is completed, you can procede as for Windows 2000.

Alternatively, you can add the following registry key:


add this in [profile] section in samba 3.25 (see man smb.conf for more details)

profile acls = yes


For problems with login and roaming profiles, trace both the server side and the client side. For client debugging see Microsoft's KB221833 [1]

More Samba configuration

This step maps your Windows groups to your Unix groups. This is an important step if you want admin rights on your Windows clients once you have logged onto the client authorizing against the PDC.

First, view the list of Windows groups. This way you know what you're mapping.

root@localhost # net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Guests (S-1-5-21-3885047494-3765334852-1543503842-514) -> nobody
Domain Admins (S-1-5-21-3885047494-3765334852-1543503842-512) -> ntadmins
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> 1
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3885047494-3765334852-1543503842-513) -> users
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

It is possible that for some reason your groupmap is empty. Although unfortunate, its not a big deal as we only need the 3 mapped groups in there. Just run the following commands:

net groupmap add rid=512 unixgroup=ntadmins ntgroup="Domain Admins"
net groupmap add rid=513 unixgroup=users ntgroup="Domain Users"
net groupmap add rid=514 unixgroup=nobody ntgroup="Domain Guests"

As you can see, I've only mapped 3 groups as this is all that I require on my domain. Additionally, I created a Unix group called "ntadmins".

root@localhost # groupadd ntadmins

After you create your required Unix groups, you need to map them to your Windows groups replacing the ntgroup value with a Windows group listed above and unixgroup is the Unix group you wish to map the Windows group to (remember, the Unix group must already exist).

root@localhost # net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins type=d

You'll need to perform this command for each Unix group you wish to map. You can now use your new groups for specific group parameters in either your global or service scopes (please review the O'Reilly book).

Final Steps

Now that we are done with configuring Samba, let's start it and add it to your default run levels.

root@localhost # /etc/init.d/samba start
root@localhost # rc-update add samba default

At this point, you should be able to log into your domain using your username and password (not root). If you wish to use a roaming profile, you'll need to tell the client. This is done by right clicking My Computer => Properties => User Profiles. Select your user and "Change type".

Using ACL

What are ACLS?

Extended attributes are arbitrary name/value pairs which are associated with files or directories. They can be used to store system objects like capabilities of executables and access control lists, as well as user objects. The attr(5) manual page describes which kinds of extended attributes are defined.

Access Control Lists

On UNIX and UNIX-like systems, file permissions are defined by the file mode. The file mode contains nine bits that determine access permissions of a file, plus three special bits. This mechanism allows to define access permissions for three classes of users: the file owner, the file group, and others. This mechanism is very simple. With a couple of bits, many permission scenarios can be modeled.

Some applications require more control over permissions than this model offers. Access control lists implement a more fine-grained permission model: In addition to the file owner, the file group, and others, additional users and groups can be granted or denied access.

How to enable ACLS

For installation and usage please take a look at HOWTO Use filesystem ACLs.

The option profile acls

This option has (as far as I know) nothing to do with the acl's on a filesystem. It is rather an emulation of an acl to make sure that winxp and win2k clients can read their profile from the server. More information can be found on the smb.conf man page.


Example login.bat script

echo Setting Current Time...
net time \\shadow /set /yes

echo Mapping Network Drives to Domain network server...
net use H: /HOME
net use X: \\shadow\public
net use Y: \\shadow\audio
net use Z: \\shadow\video

When mapping your home drive, please make sure the letter you specify in logon drive in your global service is the same as net use XXX: /HOME command (where XXX = drive letter). Also, please remember, this is the script I use. Change it to suite your needs.

List connected users

This bash script produce a list with all users currently logged in. It can be useful in order to determine if a specific user is logged in or if there are users still connected. For example if you want to shutdown your PDC you must be sure that no user is connected.

SMBUSERS=`/usr/bin/smbstatus -b|/usr/bin/sed -e '/------/d' -e '/PID/d' \
          -e '/Samba version/d' -e '/^$/d'|/usr/bin/awk -F ' ' '{print $2;}'`
  echo $SMBUSER                #each username
  let "SMBUSERCOUNT += 1"
echo $SMBUSERCOUNT             #number of user logged in
exit 0


This HOWTO was compiled with the assistance of the resources listed under Suggested Readings.

Suggested Readings


Retrieved from ""

Last modified: Tue, 16 Sep 2008 20:45:00 +0000 Hits: 99,476