Howto set up Ubuntu Server as NT4-style Primary Domain Controller (PDC)

tested with ubuntu versions 10.04, 12.04, and 14.04

1. during install of ubuntu server, select the package "samba server".
2. edit /etc/samba/smb.conf like this:
   • Change workgroup to whatever name you want to use for your workgroup.
   • In Ubuntu 10.04 and 12.04 uncomment the line:
     domain logons = yes
     In Ubuntu 14.04 add that line, and change the value of "server role" from "standalone server" to "classic primary domain controller".
   • Uncomment these lines:
     logon script = logon.cmd
add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
   • If you want to use roaming profiles, also uncomment logon path, logon drive, and logon home.
     Otherwise insert the line

     logon path=

   • If you want your windows users to use the linux home directories uncomment everything in the section [homes]. This will map the drive (to the drive letter specified with logon drive or to Z:), and set the environment variables homedrive, homepath, and homeshare. You probably also want to change read only to no.
     Otherwise insert the line

     logon home=

   • uncomment the whole section [netlogon] and change the path in [netlogon] from /home/samba/netlogon to /srv/samba/netlogon, it should then look like this:
     [netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
3. issue these commands to set up the path and the groups

   mkdir -p /srv/samba/netlogon
   chmod 755 /srv/samba/netlogon
   touch /srv/samba/netlogon/logon.cmd
   chmod 755 /srv/samba/netlogon/logon.cmd
   addgroup machines
   addgroup smbadmin
   net groupmap add ntgroup="Domain Admins" unixgroup=smbadmin rid=512 type=d
   net groupmap add ntgroup="Domain Users"  unixgroup=users    rid=513 type=d
   net groupmap add ntgroup="Domain Guests" unixgroup=nobody   rid=514 type=d
   

   If the last command results in an error message like "Can't lookup UNIX group nobody", use the group 'nogroup' instead of 'nobody', or issue the command "addgroup nobody" and then try again (this does not happen in Ubuntu 10.04, but it does happen in 12.04 and 14.04).
4. restart samba:

   restart smbd
   restart nmbd
   

5. either allow root to use samba with the command

   smbpasswd -a root
   

   or create a new user and give him the required rights, e.g. userid admin:

   adduser admin --ingroup smbadmin --shell /bin/false --gecos ''
   smbpasswd -a admin
   net -U admin rpc rights grant "Domain Admins" \
          SeMachineAccountPrivilege SePrintOperatorPrivilege \
          SeAddUsersPrivilege SeDiskOperatorPrivilege \
          SeRemoteShutdownPrivilege
   

   Notes:
   • both adduser and smbpasswd ask twice for the password of root or admin, the net command asks once.
   • other privileges that you might want to grant are: SeTakeOwnershipPrivilege and SeRestorePrivilege.
   • to list all privileges, issue this command: net rpc rights list accounts -Uadmin
6. Now you can bring PCs with XP professional into the domain: login with local admin rights, enter the IP address of the PDC as wins-server (in network connections, tcp/ip properties), press window-pause, select computername, klick on change, select domain, enter the full name of the domain, klick ok. Use userid root if you allowed root, or use admin, or whatever userid you chose in the previous step.
7. create users, e.g.

   adduser --shell /bin/false --gecos '' newuser
   smbpasswd -a newuser
   

   (replace 'newuser' with the userid of the user that you want to create)
8. Now this user can log on using his domain password.
9. If you do not want the domain controller to offer printers, add this to smb.conf:
   load printers = no
show add printer wizard = no
disable spoolss = yes

Notes

• Windows 7 clients require two registry changes before they can become domain members:
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
• Windows 7 clients can take very long to logon if you have roaming profiles disabled, unless you do one more registry change:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"WaitForNetwork"=dword:00000001
or use Group Policy to set Computer Configuration / Administrative Templates / System / User Profiles "Set maximum wait time for the network..." to 1.
• The default password restrictions are too weak, you should at least issue this command:
  pdbedit -P "min password length" -C 8
• I'm using this in the variant without roaming profiles. If the roaming profiles don't work, I cannot help.
• Some people say, you must use 'YOURDOMAIN\Domain Admins' and 'YOURDOMAIN\administrator', but for me it worked like documented above.
• Some people say that the 'add machine script' is incorrect in the sample config file, but for me it worked when I just uncommented it.
• If you are willing and able to correct the official ubuntu server guide by moving info from here to there, your are welcome to do so.
• Samba 4.1 of Ubuntu 14.04 requires the option "acl allow execute always = true", or you must set the x-bit on all executable files (affects COM & EXE, not BAT & CMD, but the easiest solution is to set it on all files).

ACls

• Samba can store the full NT-ACLs in the unix filesystem.
  This requires:
  • the samba options "vfs objects = acl_xattr" and "map acl inherit = true"
    (maybe also "store dos attributes=yes", "inherit acls = yes" and "inherit permissions = yes")
  • filesystem mount options acl and user_xattr (both default in ext4).
    If you use ZfsOnLinux version 0.63 or later, do "zfs set acltype=posixacl $pool" and "zfs set xattr=sa $pool".
    In OpenZFS 2.1 use "zfs set acltype=posix $pool" and "zfs set xattr=sa $pool".
• Using setfacl in Linux resets the NT-ACLs. Use either setfacl, or the permissions tab of Windows, but not both.
  If you copy files in Linux, make sure to include all attributes, and even the mode bits, otherwise the NT-ACLs will not be shown any more.
  The NT-ACLs are preserved in copies created with "cp -a" or "rsync -aAX".
• The NT-ACLs are stored in the extended attribute "security.NTACL". The command "getfattr -d $file" does not show it. Use instead "getfattr -d -m security.NTACL $file" or "getfattr -d -m - $file" to see really all attributes (the description of the option "-d" in the manpage of getfattr is wrong).
• transferring ACLs (and owner, group, and mode-bits) from original files to copies, which are lacking this info, can be done with:
  cd $src; getfacl -R -n . | (cd $dst; setfacl --restore=-)
  Similarly ATTRs (usually including ACLs, but not owner, group, or mode-bits) can be transferred with
  cd $src; getfattr -R -d -m - . | (cd $dst; setfattr --restore=-)

Bugs

• Ubuntu 14.04 shows the error message "no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory" on every login. This is a known bug. Workaround: "apt-get remove libpam-smbpass".
• The group that is mapped to rid=512 cannot be used in smb.conf in the option "valid users".