Set up Ubuntu 10.04 samba server as PDC (Primary Domain Controller)

1. edit /etc/samba/smb.conf like this:
   • Change workgroup to whatever name you want to use for your workgroup.
   • Uncomment domain logons, logon script, and add machine script
   • If you want to use roaming profiles, also uncomment logon path, logon drive, and logon home.
     Otherwise insert the line

     logon path=

   • If you want your windows users to use the linux home directories uncomment everything in the section [homes]. This will map the drive (to the drive letter specified with logon drive or to Z:), and set the environment variables homedrive, homepath, and homeshare. You probably also want to change read only to no.
     Otherwise insert the line

     logon home=

   • uncomment everything in [netlogon] and change the path in [netlogon] from /home/samba/netlogon to /srv/samba/netlogon
2. issue these commands to set up the path and the groups

   mkdir -p /srv/samba/netlogon
   chmod 755 /srv/samba/netlogon
   touch /srv/samba/netlogon/logon.cmd
   addgroup machines
   addgroup smbadmin
   net groupmap add ntgroup="Domain Admins" unixgroup=smbadmin rid=512 type=d
   net groupmap add ntgroup="Domain Users"  unixgroup=users    rid=513 type=d
   net groupmap add ntgroup="Domain Guests" unixgroup=nobody   rid=514 type=d
   

3. restart samba:

   restart smbd
   restart nmbd
   

4. either allow root to use samba with the command

   smbpasswd -a root
   

   or create a domain administrator and give him the required rights, e.g. userid administrator:

   adduser administrator --ingroup smbadmin --shell /bin/false --gecos ''
   smbpasswd -a administrator
   net -U administrator rpc rights grant "Domain Admins" \
          SeMachineAccountPrivilege SePrintOperatorPrivilege \
          SeAddUsersPrivilege SeDiskOperatorPrivilege \
          SeRemoteShutdownPrivilege
   

   Note: both adduser and smbpasswd with ask twice for the root or administrator password, the net command asks once.
5. Now you can bring PCs with XP professional into the domain: login with local admin rights, press window-pause, select computername, klick on change, activate domain, enter the name of the domain, klick ok. Use userid root if you allowed root, or use administrator, or whatever userid you chose in the previous step.
6. create users, e.g.

   adduser --shell /bin/false --gecos '' newuser
   smbpasswd -a newuser
   

   (replace 'newuser' with the userid of the user that you want to create)
7. Now this user can log on using his domain password.

Notes

• I'm using this in the variant without roaming profiles. If the roaming profiles don't work, please don't ask me how to fix it.
• Some people say, you must use YOURDOMAIN\Domain Admins and YOURDOMAIN\administrator, but for me it worked like documented above.
• Some people say, the add machine script is incorrect in the sample config file, but for me it worked when I just uncommented it.
• The default password restrictions are too weak, you should at least issue this command:
  pdbedit -P "min password length" -C 8
• If you are willing and able to correct the official ubuntu server guide by moving stuff from here to there, your are welcome to do so.