Contents

Introduction

Warning

Step 1: Initial Configuration

Configure Windows Services

Set up the share point

Open Directory Configuration

Step 2: smb.conf

Turn off Windows Services

Replace smb.conf

Turn on Windows Services

Step 3: Accounts

Root Account

General User Accounts

Computer Accounts

Step 4: Creating Directories

Netlogon Directory

User Directories

Step 5: Joining the Domain

Introduction

Back to Contents

This document is an attempt to provide a thorough step by step guide to setting up a Primary Domain Controller for Windows 2000 using Mac OS X Server 10.2.3.

If you know what you are doing, you should be able to deviate from these instructions at many points to customize your configuration. If you don't know what your are doing, these instructions should work if you follow them with tedious accuracy.

A lot of this information I learned from the following web sites:

http://www.afp548.com/Articles/system/sambapdc.html

http://hr.uoregon.edu/davidrl/samba-pdc.html

Warning

Back to Contents

These instructions are not guaranteed to work and may compromise the security or stability of your server.

Step 1: Initial Configuration

Back to Contents

Steps 1 – 4 assume you are working on the Server itself. Many of the steps may be performed remotely, but are more easily described locally.

OS 10.2 Developer Tools need to be installed for some of the steps in this document. The Developer Tools CD should have come with the 10.2 server software. Install the Developer Tools before proceeding.

Your initial admin account password, which is also your root password, needs to be at least five characters in length. If it is shorter than that, I recommend reinstalling the server software.

If you can't reinstall the OS, you will need to change the admin password in “Workgroup Manager” found in /Applications/Utilities. And, you will need to change the root password, for both the local and parent domains, in “NetInfo Manager” found in /Applications/Utilities. Beside being five or more characters in length, these passwords need to be identical.

7. Set your new domain name in the “Workgroup” field. Note: [This domain must not currently have another domain controller.]

8. Select “Start Windows Services on system startup”.

9. Select the “Neighborhood” tab.

10. Select “Enable WINS server.

11. Select both “Master Browser” and “Domain Master Browser”.

12. Select the “Logging” tab.

13. Recommended: Set “Detail Level” to at least “Minimal”.

14. Save changes.

-Set up the share point.

1. Open “Workgroup Manager” from /Applications/Utilities.

2. Authenticate using your admin account.

3. Select “Sharing” at the top left.

4. Select “Users” under the “Share Points” tab. Note: [If Users isn't there, select it in the “All” tab in the root level of your hard drive.]

5. Make sure “Share this item and its contents” is selected. Note: [By default the Owner is set to root and Group to wheel. Both of these have Read & Write permissions. Everyone is set to Read Only. These permissions can probably be changed. However, you need to make sure that the “Staff” group has at least “Read Only” permissions.]

6. Select the “Protocols” tab.

7. Select “Windows File Settings” in the drop-down menu.

8. Select “Share this item using SMB”.

9. The “Custom SMB name:” should be “Users”.

10. “Default permissions for new files and folders” should be set as follows: Owner “Read & Write”, Group “Read Only”, Everyone “Read Only”. Note: [You will probably want to set this share point to work with other protocols such as AFP or NFS depending on other uses for it. For example: I have mine set to share via NFS and automount to my Macintosh clients in the Netinfo Domain. This allows my users to access their home folder whether they log on to a Mac or a PC. Such settings do not specifically pertain to setting up a PDC and shouldn't affect it.]

11. Save changes.

-Open Directory Configuration

Open Directory needs to be set up as follows. You may have done this during the initial setup of your server. If so, you can skip to Step 2.

To set up Open Directory:

1. Launch /Applications/Utilities/Open Directory Assistant

2. Authenticate with an admin account.

3. Set the server to use a permanent IP address and subnet.

4. The server will – provide directory information to other computers.

5. You don't need to enable LDAP.

6. Password and authentication information will be – provided to other systems.

7. Select SMB-NT and SMB-Lan Manager protocols. The others may be added as well.

8. Restart when completed.

Step 2: smb.conf

Back to Contents

-Make sure that Windows Services are turned off

1. Open “Server Settings” from /Application/Utilities.

2. Click on the “File and Print” tab.

3. Click on the Windows icon and make sure that it says “Start Windows Services” at the top. If it says “Stop Windows Services,” do so.

-Replace /private/etc/smb.conf with the following:

[global]

client code page = 437

coding system = utf8

guest account = unknown

encrypt passwords = YES

local master = YES

max smbd processes = 0

print command = /usr/sbin/PrintServiceAccess printps %p %s

lpq command = /usr/sbin/PrintServiceAccess jobs %p

lprm command = /usr/sbin/PrintServiceAccess remove %p %j

lppause command = /usr/sbin/PrintServiceAccess hold %p %j

lpresume command = /usr/sbin/PrintServiceAccess release %p %j

printer admin = unknown, @staff

server string = Mac OS X Server

log file = /Library/Logs/WindowsServices/WindowsFileService.log

netbios name = servername

workgroup = domainname

log level = 2

wins support = YES

domain master = YES

admin users = root

domain logons = YES

logon drive = H:

logon home = \\servername\Users\%u

os level = 99

preferred master = yes

security = user

[homes]

comment = User Home Directories

read only = no

create mode = 0600

directory mode = 0700

path = %H

valid users = @staff

[netlogon]

path = /etc/samba/netlogon

[Public]

path = /Shared Items/Public

public = NO

create mask = 0644

directory mask = 0755

read only = NO

comment = macosx

[Users]

path = /Users

public = NO

create mask = 0644

directory mask = 0755

read only = NO

comment = macosx

[Groups]

path = /Groups

public = NO

create mask = 0644

directory mask = 0755

read only = NO

comment = macosx

[PrintService]

path = /Library/Logs/PrintService

public = NO

create mask = 0644

directory mask = 0755

read only = NO

comment = macosx

1. Copy the above text.

2. Using “Project Builder” (Located in /Developer/Applications) paste it (the above text) in a new “Empty File” named “smb.conf” in the root ( / ) directory .

3. Change “servername”, located after “netbios name” in the [global] section to your server's name.

4. Do the same to “servername” located after “logon home”.

5. Change “domainname” located after “workgroup” to your new domain name.

6. Save the file.

7. Open “Terminal” located in /Applications/Utilities.

8. Issue the following commands:

   1. “sudo mv /private/etc/smb.conf /private/etc/smb.default.bak” This will rename the default smb.conf file.

   2. “sudo mv /smb.conf /private/etc/smb.conf” This will move the file created above to the necessary location for it to be implemented by the SAMBA service.

   3. “sudo chown root /private/etc/smb.conf” Make root the owner of smb.conf

   4. “sudo chgrp wheel /private/etc/smb.conf” Assign smb.conf to the group “wheel.”

   5. “sudo chflags uchg /private/etc/smb.conf” Set the immutable flag on the smb.conf file so that “Server Settings” can't reset it. Note: [If you ever need to make changes to smb.conf you will have to type: “sudo chflags nouchg /private/etc/smb.conf” to unset the immutable flag.]

-Turn Windows Services back on

1. Open “Server Settings” from /Application/Utilities

2. Click on the “File and Print” tab.

3. Click on the Windows icon and select “Start Windows Services” at the top.

Step 3: Accounts

Back to Contents

-The root account

By default the root account has the same password as the primary admin account. The following instructions assume and require this to be true.

By default the root account password is not included in password server. It is best to keep it that way for security purposes. However, to add a client to SAMBA PDC, you need to use the root account, and to authenticate from a Windows computer, you need to have a Password Server password.

The following is a work-around. What it does is to allow the root user to authenticate from a PC using the admin user's password. This is a security risk.

1. Launch “/Applications/Utilities/Workgroup Manager”

2. Authenticate as the admin user.

3. Select the admin user.

4. Click the “Advanced” tab.

5. Make sure that under “User Password Type”, “Password Server” is selected. If it is not, run through “Open Directory Assistant” again.

6. Launch “/Applications/Utilities/NetInfo Manager.”

7. Authenticate as “root”. Note: [Click the lock at the bottom left of the window to authenticate.]

8. Select users.

9. Select your admin account under users.

10. Copy the value of the “authentication_authority” property.

11. Select root under users.

12. Select “New Property” from the “Directory” menu.

13. Replace “new_property” with “authentication_authority”.

14. Paste the value copied in step 11 over “new_value”.

15. Select “Save Changes” under the “Domain” menu.

16. Click “Open Parent” in the tool bar.

17. Repeat actions 7 – 15 above. Note: [The first time through sets the root account for the local domain. The second time sets the root account for the parent domain.]

18. Open “/Applications/Utilities/Terminal”

19. Type: “sudo smbpasswd -a root” to create your root SMB password. Note: [You will probably have to authenticate as root before it will let you set the password, then it will ask for the new password twice. Make sure to use the same password that you currently have for your root and admin accounts. If you get an error: “unable to open passdb database.”, redo this step. It shouldn't give an error the second time.]

-General User Accounts

Create regular users in the standard way with “/Applications/Utilities/Workgroup Manager” (Make sure to set the “User Password Type” as “Password Server” in the “Advanced” tab). For help with this see the “Admin_Guide” available at the following web site: http://docs.info.apple.com/article.html?artnum=122015

Note: [The user's home directory should be in the default directory (/Users), and the users need to be in the default group, 20 (staff).]

After the account is in Workgroup Manager you need to set it in the samba database as follows:

1. Open “/Applications/Utilities/Terminal”

2. Type “sudo smbpasswd -a username” where username is the user's short name. Note: [It may require you to authenticate with the root password before allowing you to enter the user's password.]

3. Set the password the same as you did in “Workgroup Manager”.

-Computer Accounts

Create the computer accounts with “/Applications/Utilities/Workgroup Manager” in the same way as user accounts with the following exceptions:

1. If you want to have the computer accounts organized separately from the user accounts, start them with something like “pc”.

2. Add an s to the end of the short name. Note: [The short name and the computer's name must be identical with the exception of the s at the end of the short name]

3. Make the characters in the short name all lower case.

4. Set the “Login Shell” to “None” in the “Advanced” tab.

5. Under the “Home” tab select “No Home”.

Samba requires a computer account to have a $ at the end. However, “Workgroup Manager” won't accept special characters. To correct this perform the following steps:

1. Launch “/Applications/Utilities/NetInfo Manager.”

2. Click “Open Parent” in the tool bar.

3. Authenticate as “root”.

4. Select users.

5. Select the machine account that you created above.

6. Edit the fields that have an s at the end of the short name (there are probably 3 of them). Change the s to a $.

7. Select “Save Changes” under the “Domain” menu.

Now you need to add the account to the samba database as follows:

1. Open “/Applications/Utilities/Terminal”

2. Type “sudo smbpasswd -a -m computername” where computername is the short name without the $.

3. Type “sudo smbpasswd computername$”

4. Set the password the same as in “Workgroup Manager”.

Step 4: Creating Directories

Back to Contents

-Netlogon Directory

We need to create a netlogon directory for authentication scripts and the like.

1. Open “/Applications/Utilities/Terminal”

2. Type: “sudo mkdir /etc/samba”

3. Type: “sudo mkdir /etc/samba/netlogon”

4. Type: “sudo chown -R root /etc/samba”

5. Type: “sudo chgrp -R staff /etc/samba”

Note: [I haven't tested using scripts in this directory, but see no reason why they wouldn't work.]

-User Home Directories

Home directories are supposed to be created automatically when users log in to a Macintosh on the NetInfo domain. Since these users aren't necessarily going to be logging into a Mac at all, we need to create the home directory manually.

1. Open “/Applications/Utilities/Terminal”

2. Type: “sudo mkdir /Users/username” where username is the short name of a user created earlier.

3. Type: “sudo mkdir /Users/username/profile”

4. Type: “sudo chown -R username /Users/username”

5. Type: “sudo chgrp -R staff /Users/username”

6. Type: “sudo chmod 755 /Users/username”

7. Type: “sudo chmod -R 700 /Users/username/profile”

Reboot the server now – just for good measure.

Step 5: Joining the Domain

Back to Contents

These instructions are for Windows 2000. Perform these steps from the Windows 2000 client. Note: [The web sites mentioned at the beginning of this document can help you with other Oss.]

1. Right click on “My Computer” and select “Properties”.

2. Click the “Network Identification” tab.

3. Click “Properties”

   Note: If the “Computer name” is different from the computername (without $) in Step 2, you will need to change that and restart.

4. Select “Domain”

5. Enter the “Workgroup” name that you selected in Step 1 and your smb.conf file.

6. When prompted for a user name with permission to join the domain you need to use the root account.

Congratulations, your PDC should be up and running.

If it isn't, you can email me at support@twomblys.com.