28.5. Samba as Login Server

In networks where predominantly Windows clients are found, it is often preferable that users may only register with a valid account and password. In a Windows-based network, this task is handled by a Windows NT server configured as a primary domain controller (PDC) but this can also done with the help of a Samba server. The entries that must be made in the [global] section of smb.conf are shown in Example 28.3, “Global Section in smb.conf”.

Example 28.3. Global Section in smb.conf

       [global]
       workgroup = TUX-NET
       domain logons = Yes
       domain master = Yes

If encrypted passwords are used for verification purposes—this is the default setting with well-maintained MS Windows 9x installations, MS Windows NT 4.0 from service pack 3, and all later products—the Samba server must be able to handle these. The entry encrypt passwords = yes in the [global] section enables this (with Samba version 3, this is now the default). In addition, it is necessary to prepare user accounts and passwords in an encryption format that conforms with Windows. Do this with the command smbpasswd -a name. Create the domain account for the computers, required by the Windows NT domain concept, with the following commands:

Example 28.4. Setting Up a Machine Account

       useradd hostname\$
       smbpasswd -a -m hostname

With the useradd command, a dollar sign is added. The command smbpasswd inserts this automatically when the parameter -m is used. The commented configuration example (/usr/share/doc/packages/Samba/examples/smb.conf.SuSE) contains settings that automate this task.

Example 28.5. Automated Setup of a Machine Account


       add machine script = /usr/sbin/useradd -g nogroup -c "NT Machine Account" \
       -s /bin/false %m\$
     

To make sure that Samba can execute this script correctly, choose a Samba user with the required administrator permissions. To do so, select one user and add it to the ntadmin group. After that, all users belonging to this Linux group can be assigned Domain Admin status with the command:

     net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
   

More information about this topic is provided in Chapter 12 of the Samba HOWTO Collection, found in /usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf.