Howto set up Ubuntu Server as NT4-style Primary Domain Controller (PDC)

tested with ubuntu versions 10.04, 12.04, and 14.04

  1. during install of ubuntu server, select the package "samba server".
  2. edit /etc/samba/smb.conf like this:
  3. issue these commands to set up the path and the groups
    mkdir -p /srv/samba/netlogon
    chmod 755 /srv/samba/netlogon
    touch /srv/samba/netlogon/logon.cmd
    chmod 755 /srv/samba/netlogon/logon.cmd
    addgroup machines
    addgroup smbadmin
    net groupmap add ntgroup="Domain Admins" unixgroup=smbadmin rid=512 type=d
    net groupmap add ntgroup="Domain Users"  unixgroup=users    rid=513 type=d
    net groupmap add ntgroup="Domain Guests" unixgroup=nobody   rid=514 type=d
    If the last command results in an error message like "Can't lookup UNIX group nobody", use the group 'nogroup' instead of 'nobody', or issue the command "addgroup nobody" and then try again (this does not happen in Ubuntu 10.04, but it does happen in 12.04 and 14.04).
  4. restart samba:
    restart smbd
    restart nmbd
  5. either allow root to use samba with the command
    smbpasswd -a root
    or create a new user and give him the required rights, e.g. userid admin:
    adduser admin --ingroup smbadmin --shell /bin/false --gecos ''
    smbpasswd -a admin
    net -U admin rpc rights grant "Domain Admins" \
           SeMachineAccountPrivilege SePrintOperatorPrivilege \
           SeAddUsersPrivilege SeDiskOperatorPrivilege \
  6. Now you can bring PCs with XP professional into the domain: login with local admin rights, enter the IP address of the PDC as wins-server (in network connections, tcp/ip properties), press window-pause, select computername, klick on change, select domain, enter the full name of the domain, klick ok. Use userid root if you allowed root, or use admin, or whatever userid you chose in the previous step.
  7. create users, e.g.
    adduser --shell /bin/false --gecos '' newuser
    smbpasswd -a newuser
    (replace 'newuser' with the userid of the user that you want to create)
  8. Now this user can log on using his domain password.
  9. If you do not want the domain controller to offer printers, add this to smb.conf:
    load printers = no
    show add printer wizard = no
    disable spoolss = yes