Originally posted by colby
Most of the Windows Domain stuff is done in your smb.conf. In the [global] section, add:
# make sure netbios knows who you are.
netbios name =
# this "fakes" the OS so that we can be a PDC to our clients
os level = 64
# you are the PDC!
preferred master = yes
# you are the local DC!
local master = yes
# you process logons!
domain logons = yes
# this is the path to user profiles
# if you do not want roaming profiles, leave this out
logon path = \\%N\profiles\%u
# drive to mount the user's home drive to... H is for Home
logon drive = H:
# this is the path to the user's home directory
logon home = \\%N\%u
# script to run when users log on (to mount their home dir, etc)
logon script = logon.cmd
# people who should have domain admin privs
domain admin group =
# since computers need to be added to your system to log users on
# to the domain, this makes it automatic.
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
The workgroup listing is going to be the domain people connect to, change this accordingly.
You will need to add a netlogon directory that is accessible by a share in order for your domain to work correctly. Make sure this directory exists and is readable by all users. This is where you will put the script "logon.cmd" above.
path = /usr/local/samba/lib/netlogon
writeable = no
write list = administrator
If you enabled roaming profiles above, you need to make that accessible by users too. You want to make sure that for each profile, the user can read/write it.
path = /usr/local/samba/ntprofile
writeable = yes
create mask = 0600
directory mask = 0700
For the home directories referenced above, you can use the default samba homes share (provided the users have a home on your system).
After you made those changes, make sure the directories exist with the right permissions. Your logon.cmd could be empty, but if you reference it make sure it exists. When you're done, restart samba.
Make sure you use smbpasswd for users to make sure they can logon to samba "stuff". You may also need to do this for computer accounts if the auto add line above doesn't work. When you are adding computer accounts, don't forget the $ at the end, and they don't really need passwords (just hit enter).