# Samba 3.6 as a Domain Controller



## adripillo (May 8, 2014)

Hello, I have installed another version of Samba, this time is Samba 3.6 and I want to use it as a domain controller. I added some users to test it but when I go to a computer with windows 7/XP it does not "see" or find the domain.
This is the output of my smb.conf :


```
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
   workgroup = MYDOMAIN

# server string is the equivalent of the NT Description field
   server string = Samba Server

# Security mode. Defines in which mode Samba will operate. Possible.
# values are share, user, server, domain and ads. Most people will want.
# user level security. See the Samba-HOWTO-Collection for details.
   security = share

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 16.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
;   printing = cups

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
  log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Use password server option only with security = server
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
;   password server = <NT-Server-Name>

# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
;   realm = MY_REALM

# Backend to store user information in. New installations should.
# use either tdbsam or ldapsam. smbpasswd is available for backwards.
# compatibility. tdbsam requires no further configuration.
;   passdb backend = tdbsam

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
#       this line.  The included file is read at that point.
;   include = /usr/local/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
;   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 16.1.16.16/32

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = yes
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Enable this if you want Samba to be a domain logon server for.
# Windows95 workstations..
;   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#<----->Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one<>WINS Server on the network. The default is NO.
7;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
 via DNS nslookups. The default is NO.
   dns proxy = yes.

# Charset settings
;   display charset = koi8-r
;   unix charset = koi8-r
;   dos charset = cp866

# Use extended attributes to store file modes
;    store dos attributes = yes
;    map hidden = no
;    map system = no
;    map archive = no

# Use inherited ACLs for directories
;    nt acl support = yes
;    inherit acls = yes
;    map acl inherit = yes.

# These scripts are used on a domain controller or stand-alone.
# machine to add or delete corresponding unix accounts
;  add user script = /usr/sbin/useradd %u
;  add group script = /usr/sbin/groupadd %g
;  add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
;  delete user script = /usr/sbin/userdel %u
;  delete user from group script = /usr/sbin/deluser %u %g
;  delete group script = /usr/sbin/groupdel %g
```


----------



## adripillo (May 8, 2014)

I could "fix" the problem. Now windows find the domain, but needed to add in the windows host file.
Now I am having the next problem when it ask me for user and password to log into the Domain it says "access deny". I added the user to the system and also to samba with

`#smbpasswd -a User`

Any idea of what its wrong? Thanks


----------



## adripillo (May 8, 2014)

Testing like this, seems it works.


```
# smbclient -U user -L localhost

Enter user's password: 
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.6.23]

	Sharename       Type      Comment
	---------       ----      -------
	homes           Disk      Home Directories
	tmp                Disk      Temporary file space
	Importante    Disk      cosas Importantes
	IPC$             IPC       IPC Service (Samba Server)
	user              Disk      Home Directories

Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.6.23]

	Server               Comment
	---------            -------
	Domain239            Samba Server

	Workgroup            Master
	---------            -------
	MYDOMAIN
```

But from windows still says Deny.


----------



## ondra_knezour (May 8, 2014)

Did you try to use MYDOMAIN\User as username?

I am not sure if it may be related, but be advised that there are two types of the Windows domains - older one, the Windows NT domain and Active Directory domain, which was introduced in the Windows 2000 and both the Windows 7 and XP supports it. However, being a primary domain controller in the AD domain is not supported in the Samba 3.x series, you have to use Samba 4.x. 

Regarding your problem with Samba "visibility" on the network - there is probably something wrong with the network browsing, see http://www.samba.org/samba/docs/man/Sam ... wsing.html


----------



## adripillo (May 9, 2014)

ondra_knezour said:
			
		

> Did you try to use MYDOMAIN\User as username?
> 
> I am not sure if it may be related, but be advised that there are two types of the Windows domains - older one, the Windows NT domain and Active Directory domain, which was introduced in the Windows 2000 and both the Windows 7 and XP supports it. However, being a primary domain controller in the AD domain is not supported in the Samba 3.x series, you have to use Samba 4.x.
> 
> Regarding your problem with Samba "visibility" on the network - there is probably something wrong with the network browsing, see http://www.samba.org/samba/docs/man/Sam ... wsing.html



It is a older one. It needs Samba 3.6. I can access to the Domain by typing the IP of the domain and I can see the Folder that it is shared. But when I try to connect to that folder it says user deny.
Also if i want to change windows 7 / XP from group work to Domain, it seems it found the domain but when it ask for user and password to login, same problem: Deny.
I already added the user to the system and also to samba. I really do not know why it deny to login or to be part of my domian.


----------



## adripillo (May 9, 2014)

`# testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[Importante]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
	workgroup = MYDOMAIN
	server string = Samba Server
	interfaces = 16.1.1.15/32
	log file = /var/log/samba/log.%m
	max log size = 100
	load printers = No
	domain logons = Yes
	os level = 33
	domain master = Yes
	wins proxy = Yes
	wins support = Yes
	idmap config * : backend = tdb
	hosts allow = 16.
	printable = Yes
	print ok = Yes

[Importante]
	comment = cosas Importantes
	path = /smb/importante
	valid users = adrian
	read only = No
	printable = No
	print ok = No`


----------



## adripillo (May 12, 2014)

Any idea is always welcome, thanks in advance


----------



## adripillo (May 12, 2014)

This is the log from a computer


`#cat /var/log/samba/log.160.1.1.187 

[2014/05/09 14:37:13.272753,  0] smbd/service.c:1055(make_connection_snum)
  canonicalize_connect_path failed for service Importante, path /smb/importante
[2014/05/09 14:37:37.821829,  0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client Cont0012


# grep -i adrian /etc/passwd
adrian:*:1001:1001:adrian:/home/adrian:/bin/sh`


----------

