Server Configuration

This section is from this tutorial:
[Local version]

Setting up Samba as a PDC (Primary Domain Controller) on a Ubuntu 10.04 LTS is pretty straight forward. This may seem like a long tutorial but it could easily allow a novice to set up a basic PDC.

This entire tutorial requires that you be logged on as root, or a healthy use of the sudo command. I prefer the former.


There must be a working Samba server installed (configured or not). Next, for this tutorial I’m going to use the following values (PLEASE, change to suit your own needs):

If there is not a working Samba server running:

tasksel install samba-server


apt-get install samba-server

Should do the trick.

If you cannot ping your domain controller from your client you cannot join the domain.

Preliminary Testing

From your windows client in the command line try:

ping testgate

  Pinging testgate [] with 32 bytes of data:

  Reply from bytes=32 time<1ms TTL=64
  Reply from bytes=32 time<1ms TTL=64
  Reply from bytes=32 time<1ms TTL=64
  Reply from bytes=32 time<1ms TTL=64

  Ping statistics for
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 0ms, Average = 0ms

ping testdomain.loc

  Pinging testdomain.loc [] with 32 bytes of data:

  Reply from bytes=32 time<1ms TTL=64
  Reply from bytes=32 time<1ms TTL=64
  Reply from bytes=32 time<1ms TTL=64
  Reply from bytes=32 time<1ms TTL=64

  Ping statistics for
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 0ms, Maximum = 0ms, Average = 0ms

Try this if it doesn’t work fix it BEFORE moving on. By not working I mean; If these two tests do not give you the same IP, and that IP is not for the internal interface.

On to the PDC

Ensure that all things are functioning as expected:

Ping the servers netbios name

ping testgate
  PING testgate.testdomain.loc ( 56(84) bytes of data.
  64 bytes from testgate.testdomain.loc ( icmp_seq=1 ttl=64 time=0.022 ms
  64 bytes from testgate.testdomain.loc ( icmp_seq=2 ttl=64 time=0.025 ms
  64 bytes from testgate.testdomain.loc ( icmp_seq=3 ttl=64 time=0.027 ms
  64 bytes from testgate.testdomain.loc ( icmp_seq=4 ttl=64 time=0.028 ms

  --- testgate.testdomain.loc ping statistics ---
  4 packets transmitted, 4 received, 0% packet loss, time 2997ms
  rtt min/avg/max/mdev = 0.022/0.025/0.028/0.005 ms

Then try this

nslookup testgate


  Name:           testgate.testdomain.loc

If that does not work, make sure that “hostname” gives you testgate, and that “dnsdomainname” gives you testdomain.loc. If they do not change the hostname:

echo testgate > /etc/hostname; hostname testgate
then change the `/etc/hosts` file to reflect the changes, change the line starting with ``, as in:    testgate.testdomain.loc testgate

You may also want to configure your DNS server to offer testgate.testdomain.loc as on your local network.

Samba Configuration

Now for the samba server.

The configuration will be mostly default values (see List Default Samba Values, for instructions on how to list all the default values).

First save the old smb.conf file, and create a new one

mv /etc/samba
mv smb.conf{,.dist}
touch smb.conf

Place the following in the smb.conf file:

domain logons = yes
domain master = Yes
netbios name = testgate
workgroup = testdomain.loc
os level = 255
preferred master = yes
security = user
wins support = yes

valid users = %S
read only = no
browseable = no
create mode = 0600
directory mode = 0700

The only interesting values in the above configuration are “netbios name” and “workgroup”.

  • “netbios name” should be the local hostname without the parent domain name, for example if the FQDN is testgate.testdomain.loc the “netbios name” should be testgate.
  • “workgroup” should be the parent domain name, for example if the FQDN is testgate.testdomain.loc then the “workgroup” should be testdomain.loc.

Save the file. Then restart the samba services.

service smbd restart
service nmbd restart


/etc/init.d/samba restart

We need to create a group for the samba users:

groupadd smbuser
groupadd workstation

Next we need to create a few users.

useradd -d /home/sean -g smbuser -s /bin/false -m sean
useradd -d /dev/null -g workstation -s /bin/false testdesktop$

Now we need to add the users to the samba database.

smbpasswd -a sean
smbpasswd -a root
smbpasswd -a -m testdesktop$

Notice that we added the client desktop to the users and to the samba database, this is very important, the computer will not be able to join the domain without it’s name in the samba database.

The $ is required at the end of the machine name, do not forget it.

Windows is NOT case sensitive but Linux is, so make sure that all user and machine names are typed EXACTLY the same, otherwise very strange things can happen.

Check the database like so:

pdbedit -Lv

There should be four users including a “nobody” user.

Take the time to check that all seems right, make sure that the domain is correct, etc…

You can also list just one user by:

pdbedit -v sean

If you would like change your fullname:

pdbedit -r -f "sean Shust" sean

Adding your domain user to the administrator group

Once you are finished and have joined the domain, when you reboot you may notice that the domain user has no privileges. This may be what you want, but if it isn’t, how do you give admin rights to a domain user?

Samba no longer allows you to change the Primary Group SID directly, it is now set dynamically from group mappings. By default all users receive an RID of the Domain Users Group which is 513, for the Domain Admins Group the RID needs to be 512. This is the final three digits in the Primary Group SID as in:

Primary Group SID:   S-#-#-##-#########-#########-##########-513

When you created the user for use within the domain, you added it to a group:

useradd -d /home/sean -g
smbuser -s /bin/false -m sean

If this was the first user added to the system it likely received a UID of 1000, and smbuser also likely received a GID of 1000. You can check this with “id”

id sean
  uid=1000(sean) gid=1000(smbuser) groups=1000(smbuser)

You could groupmap the GID of 1000(smbuser) to the admin group:

net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=smbuser

But this would make any user id in the smbuser group an admin user. A better choice is to create a new “admin” group and add the appropriate users to it.

groupadd -g 2000 smbadmin

Then change the GID of the user:

usermod -g smbadmin sean
Confirm the change with:
groups sean
It should return “smbadmin”. Then groupmap the new GID to the windows admin group: net groupmap add rid=512 ntgroup=”Domain Admins” unixgroup=smbadmin Then check that the Primary Group SID: has changed:
pdbedit -v sean
Look for the line
Primary Group SID:   S-#-#-##-#########-#########-##########-512
and make sure the last three numbers are 512. If the last three numbers didn’t change, change the user to a different group and then change back:
usermod -g root sean
usermod -g smbadmin sean

Then check again…

Make root The Domain Administrator

Not sure were this would be relative, but, as a purely informative exercise, here is how you would make your root user the Domain Administrator:

pdbedit -r -U500 root

Check to see if the change took by issuing the following

pdbedit -v root | grep "User SID:"

And check that the line ends with 500.


I’ve had a few issues with log ins and the like, and here are a few things you can try.

  • If you’ve successfully joined the domain but can seem to log into the client on the domain:
    Log into the client locally as an admin user and delete the users folder. PLEASE backup any data you need. In XP it would be under C:\Documents And Settings. Then on the Samba server delete the profile folder within the users folder, /home/sean/profile in our examples. Then try loggin in again.

  • If your database is all messed up, create a backup of it:

    mv /var/lib/samba/passdb.tdb{,.`date +%F`}

    and run

    dpkg-reconfigure samba

    accept the defaults.

  • You may have to re-add the root user, but all of the other required users should be added for you.
    This method will also require the deletion of the user folder on the client machine. Again, PLEASE backup any data you need.

Join Windows to the domain

All windows versions are pretty similar to join to the domain. If your Windows has UAC active, as usual in Windows Vista, Windows 7 and Windows 8, you should follow the steps in the section Windows with UAC active.

Windows with UAC active

If you have Windows UAC (User Account Control) active, you should disable this feature in order to add the client machine to the domain.

For that, you should import the file Win7_Samba3DomainMember.reg to the Windows Registry. You just have to extract and run the file. After that, you have to reboot to apply the new settings and then proceed with the previous steps.

Once done, you can re-enable UAC.


  1. Access to system properties

  2. Advanced system settings

  3. Computer name ➜ Change…

  4. Enter computer name: testdesktop
    Select Domain and enter the domain: testdomain.loc
    Press OK

  5. Enter the administrative root login

  6. If everything went correctly, you should see a message like this.

If you reach this point, congratulations, your are done! Now you can enjoy your domain!