Howto setup a Public Domain Controller on Linux

prerequesites:

samba
dhcpd

What is a Public Domain Controller?

A public domain controller, also called pdc controls the network access of multiple hosts without the need to enter the relations with the network drives and other things on the network on every single box.

first of all, we take a look at the samba configuration, here are a few points to take a look on:

# Global parameters

[global]
workgroup = home
Netbios name = samba
encrypt passwords = Yes
;this tells Samba that security level must be set to user
security = user
;Samba is the domain and local master browser.
os level = 65
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
logon path = \%nphoenix\%u

;automatically maps the home directory of the user, can be any drive letter you want.
;samba is the Samba server netbios name

logon drive = q:
logon home = defcon\%u
;this line is only needed, if you have netlogon scripts
logon script = netlogon.bat
;neccessary share for domain controller

[netlogon]
; comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no

[homes]
read only = no
browseable = no

[music]
path = /data/mp3
public =yes
browseable  = yes
write list = mw, jackie
create mask = 0777
directory mask = 0777

[everyone]
path = /data/everyone
browseable = yes
read only = no
create mask = 0777
directory mask = 0777

next we do have to create the user accounts of the clients
on the samba server, this is done via smbpasswd.

smbpasswd youruser yourpass

if you want certain things to startup on the client if he logs in, one way is the use of batch files.

An example of such a netlogon.bat

REM NETLOGON.BAT
  net use z: phoenixmusic /yes

now lets take a look on the dhcpd.conf

# Sample dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

ddns-update-style ad-hoc;

# option definitions common to all supported networks...
option domain-name "samba.local";

# Your name servers. You can normally find these in
# your /etc/resolv.conf file. These will be distributed to all DHCP
# clients.

option domain-name-servers xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).

log-facility local7;

# Configuration for an internal subnet.

subnet xxx.xxx.xxx.xxx netmask 255.255.255.0 {
  range xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx;
  option domain-name-servers xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
  option domain-name "samba.local";
  option routers xxx.xxx.xxx.xxx;
  option broadcast-address xxx.xxx.xxx.255;
  default-lease-time 600;
  max-lease-time 7200;
}

Now the for us interresting part.

# Assign a static IP to defcon.samba.local

host defcon {
  hardware ethernet 00:45:40:10:FE:12;
  fixed-address xxx.xxx.xxx.xxx;
}

to get the mac, on linux theres the ifconfig command, on windows the same kind of information is received via the ipconfig /all command.

next we need to create a group that holds our samba users:

addgroup samba-clients

then we setup the names of the machines that connect to the pdc as follows:

adduser -g samba-clients somemachine$
  passwd -l somemachine$
  smbpasswd -am somemachine

then we setup our users as follows:

adduser -g samba-clients someuser
  passwd -l someuser
  smbpasswd someuser

for explanation of the parameters:

1. why do we want our own samba users group?

mainly for security and management reasons, as we can enforce a further security policy by example by disabling sh login and other things to that user, or even the ownage of certain files based on that group.

whats this -l with the passwd command?

this locks the account for normal login, so the user has samba, but cannot login to the samba at any other methode by default. (this is not like pointing the user to /bin/false, but it gives a base security)

why set a machine specific account? and whats that -am with smbpasswd?

for the machine account lets think that way, we have one user in the domain, which should be allowed to login from "any" machine to the domain, in this cases that machine account comes in handy, as we can parten away machine related settings from user related settings (for example two different logon scripts).

that -am behind the smbpasswd tells us that what we add is a machine account, which is actually unable to logon to the pdc by itself (no password since no logon) but needs a "normal" samba user and pass for login, so our users dont play ugly and connect as a computer to our network.

for windows xp youll need to change the registryvalue "requiresignorseal"

from 1 to 0, in order to connect that machine to the server.

*note* i was told that you dont need to change these settings in windows xp registry anymore, since samba 3.x was released...

this should be it, if you have questions or suggestions, youre free to email them to me, or comment this tutorial.