If in your network already exists a NT PDC, you can decide to configure your Samba server as a member of the domain controlled by this NT machine. Then to authenticate a user connecting to him, the Samba server will ask the PDC to check the username and password he has received.

There are two values for the security parameter which can be used to use another PDC as an authentication server. The first value is SERVER. Historically, this is the first implementation of the use of a password server. When set to this value, the Samba server which receives the username and password from a client will use them to do a logon on the authentication server he is configured to use. This will then consume one license on the server and the connection will stay open as long as the client is connected. If the logon against the authentication server is successfull, then Samba lets the client access him.
The other value you can use still the version 2.0.0 is DOMAIN. With this value, Samba will be a real domain member and will participate into the domain as another NT machine can do. When the Samba server will need to validate a username and password, he will connect to the PDC (the authentication server) to pass the authentication to it exactly the same way that an NT machine will do. This means that no connection need to stay open between Samba and the authentication server.

If the authentication server didn't answer (was not found) or disallow the access, then the Samba server automatically falls back into the user-level security mode and what have been said about this mode will apply in this case (see user-level security mode ).

I recommend the use of security=domain if you run the version 2.0.X of Samba since this will consume a few ressources (licenses, ...) on the authentication server.

A basic configuration of a Samba server, member of a NT domain is done with at least four or five parameters.

[global]
netbios name = SAMBA
workgroup = NT_DOMAIN
password server = NT_PDC, NT_BDC_1, NT_BDC_2
security = domain

Of course, what has been said about the guest account  and the passwords encryption  still apply here.

About the values :

• The workgroup value should be the name of the domain of wich you want to be a member.
• The password server values are a list of computer which can be used to perform the authentication. This must be a list a server in user-level security mode (e.g. : a NT PDC, a NT BDC, a Samba server in user-level mode, ...). The values given here are the NetBIOS name of the machines to use. The names will be resolved using the standards methods : WINS, lmhosts file, DNS or broadcast as defined by the parameter name resolve order (see the section name resolution of this site).


Instead of specifying the name of the PDC and optionally the BDC, you can use a * (asterisk) . This special value tells Samba to search for the PDC of the domain and its name the same way as a Windows machine does.

Samba will try each machine of the password server line in the order they appear. He will stop looking for the next machine if he got an answer (positive or negative) from one of them. In other words, if PDC answer that the user does not exist, Samba won't try to connect to the following server to see if he can get a positive answer of it.

Once you've done this configuration, you still need to have a Unix account for each user who can connect to the Samba machine. If such mapping does not exist, then Samba will use the corresponding guest account to access files and directories or he will run the 'add user script' command (see below ).

The first step take place on the PDC. In Windows NT 4.0, with the Server Manager for Domains tools you add your Samba server into the domain.

ATTENTION : you add an "NT server or workstation" and not a "NT backup domain controller".

It is also possible to have a Windows 2000 Server as the Domain Controller. In this case, you will use the tools called Active Directory Users and Computers. Go to Start menu -> Programs -> Administrative tools -> Active Directory Users and Computers.< /P>

Active directory is not installed by default, maybe you will need to install it first. Refer to the Windows 2000 documentation for this.

Once the program is running, in the left panel, go to the key corresponding to your domain and below it, select the Computers keys. Then in the Action menu, select New, then Computer. In the dialog, fill in the computer name with the name of your Samba server (you see that the field pre-2000 computer name is automatically filled). Select the option "Allow pre-Windows 2000 computer to use this account" then click OK and exit the console.

Samba really works optimally with Windows 2000 since the version 2.0.7 .

The second step will take place on the Samba server itself, independently from the version of the domain controller (NT 4.0 or 2000). First, stop the running Samba server (for this, you can use SWAT or the Samba startup script). Then run the following command :

smbpasswd -j <NT_DOMAIN> -r <NT_PDC>

where you remplace <NT_DOMAIN> by your domain name and <NT_PDC> by the NetBIOS name of the PDC. Then you should see some message like "smbpasswd : Joined domain NT_DOMAIN".
The result of this operation is a newly created file in the /usr/local/samba/private directory (or wherever you installed Samba). This file is called<NT_DOMAIN name>.<Sambaname>.mac and it contains a machine password which is asked by the PDC each time Samba will try to connect it.

With Samba 2.2.x, the things are a little bit different:

No need to create manually the machine account beforehand.The command to use is smbpasswd -j <domain> -r <PDC> -U <NT administrator>. You are prompted to enter the administrator password and the machine account is automaticaly created on the PDC. (Samba still need to be stopped to do that).The machine password is no more stored into the *.mac file but in a file called secrets.tdb, the Trivial DataBase used now by Samba to store some important information.

Once created, a machine password cannot be changed. So, if you loose your file *.mac (Samba 2.0.x) or your secrets.tdb file (Samba 2.2.x ), you need to recreate it by first deleting the machine account on the PDC and re-adding it, in the Server Manager for Domains. Then you need to run again the smbpasswd -j NT_DOMAIN -r NT_PDC command.

Once these steps have been followed, your Samba server is ready to operate. You need to create your shares as usual.

There is new feature appearing with the version 2.0.4 of Samba, this is the allow trusted domains global parameter. With this parameter, you can restrict access to the Samba server to the users defined on the PDC of the domain in which Samba is a member. Or you can simply allow access to the Samba server also to the users defined in the Domains which are trusted by your PDC.

When you add the line allow trusted domains = yes (in fact this is the default) to your global section in the smb.conf file, the following will happen :
Imagine the following : user1 is defined in the domain DOMAIN1, the Samba server is a member of  the domain DOMAIN2. The domain DOMAIN1 is trusted by the domain DOMAIN2. This means that user1 or any other user of DOMAIN1 can access ressources in the domain DOMAIN2,even if they don't have a account in DOMAIN2. This is the trust relationship principe of a NT domain. Because Samba is a ressource in the doain DOMAIN2, user1 can access it without having been defined in the PDC of DOMAIN2. The only need is to have a unix account on Samba called user1.
If the parameter allow trusted domains is set on no, then user1 won't have access to the Samba server, despite the fact that DOMAIN1 is trusted by DOMAIN2.

This the schema of what happens on the network if user1, from Domain1 requests access to a share on the Samba server located on another domain. The trust relationship must be at least from Domain2 to Domain1 (Domain 1 should be trusted by Domain 2 for this to work). Step (6) is performed only if allow trusted domains is set on yes. Of course, (5), (6) and (7) depend on the answer in (4). If the password is correct, the things go further.

We've seen that a Unix user is needed for each Windows users allowed to log on to the Samba server. In a small organisation, it's not a problem to add them manually and to keep the synchronisation manually also. But in large organisations, it's sometimes not easy to perform all these tasks manually, but because Samba is great it has two parameters to automatically add and remove Unix users.

These parameters are add user script and delete user script. The value they take is the name of a program or a script wich takes a username as argument and creates a Unix account with it. In the value you type in, don't forget to use the macro %u to represent the Unix user.
This leads to something like this :

[global]
add user script = /usr/sbin/useradd %u -g smbusers
delete user script = /usr/sbin/userdel %u

Here we use the standard Unix useradd and userdel command to add or remove the user. The flag -g is used to give the name of the primary Unix group of this newly created Unix user.

Samba will run the 'add user script' command when a user connect to it, he's authenticated by the PDC and does not have a corresponding Unix user id. The 'delete user script' command is run when a user connect to Samba, doesn't exist on the PDC anymore but still have a unix account.

This will maintain the list of Unix users in synchronization with the Domain user list.

This apply to users which exist in the domain where Samba is located but also to any user defined in any domain trusted by the domain where Samba is found. (Of course allow trusted domains must be set on yes to be able to create a unix account for members of other domains.)

This is the list of the parameters appearing for the first time on this document.
 

Parameters	Description
add user script = <program name>	The name of a program to add a Unix user if the connecting user doesn't have one corresponding account.
delete user script = <program name>	The name of a program which delete a Unix account if the connecting user doesn't exist on the PDC.
allow trusted domains = yes|no	Should we let the users of the trusted domains access any Samba ressources. (Default = yes)
password server = <names>	A list of machines (PDC, BDC) used to perform the authentication of users.