workgroup
to whatever name you want to use for your workgroup.domain logons = yes
server role
"
from "standalone server
" to "classic primary domain controller
".
logon script = logon.cmd
add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
logon path
, logon drive
, and logon home
.logon path=
[homes]
.
This will map the drive (to the drive letter specified with logon drive or to Z:),
and set the environment variables homedrive, homepath, and homeshare.
You probably also want to change read only to no.logon home=
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
mkdir -p /srv/samba/netlogon chmod 755 /srv/samba/netlogon touch /srv/samba/netlogon/logon.cmd chmod 755 /srv/samba/netlogon/logon.cmd addgroup machines addgroup smbadmin net groupmap add ntgroup="Domain Admins" unixgroup=smbadmin rid=512 type=d net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=dIf the last command results in an error message like "
Can't lookup UNIX group nobody
",
use the group 'nogroup' instead of 'nobody', or issue the command "addgroup nobody
" and then try again
(this does not happen in Ubuntu 10.04, but it does happen in 12.04 and 14.04).
restart smbd restart nmbd
smbpasswd -a rootor create a new user and give him the required rights, e.g. userid admin:
adduser admin --ingroup smbadmin --shell /bin/false --gecos '' smbpasswd -a admin net -U admin rpc rights grant "Domain Admins" \ SeMachineAccountPrivilege SePrintOperatorPrivilege \ SeAddUsersPrivilege SeDiskOperatorPrivilege \ SeRemoteShutdownPrivilegeNotes:
adduser --shell /bin/false --gecos '' newuser smbpasswd -a newuser(replace 'newuser' with the userid of the user that you want to create)
load printers = no
show add printer wizard = no
disable spoolss = yes
Notes
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"WaitForNetwork"=dword:00000001
or use Group Policy to set
Computer Configuration / Administrative Templates / System / User Profiles
"Set maximum wait time for the network..." to 1.
pdbedit -P "min password length" -C 8
YOURDOMAIN\Domain Admins
' and 'YOURDOMAIN\administrator
',
but for me it worked like documented above.
add machine script
' is incorrect in the sample config file,
but for me it worked when I just uncommented it.
ACls
cp -a
" or "rsync -aAX
".getfattr -d $file
" does not show it.
Use instead "getfattr -d -m security.NTACL $file
" or
"getfattr -d -m - $file
" to see really all attributes (the description of
the option "-d
" in the manpage of getfattr is wrong).
cd $src; getfacl -R -n . | (cd $dst; setfacl --restore=-)
cd $src; getfattr -R -d -m - . | (cd $dst; setfattr --restore=-)
Bugs
no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
"
on every login.
This is a known bug.
Workaround: "apt-get remove libpam-smbpass
".