Setting up a Samba 3 primary domain controller and file/print/software deployment server, using Debian 3.1 Sarge

Contents

Introduction

This document describes how to setup a multi faceted server for Windows and Unix workstations using Samba 3 on a Debian GNU/Linux 3.1 'Sarge' server. The server provides a Windows NT 4 style primary domain controller (PDC), with roaming user profiles; file, print and software deployment server; WINS server. This is not an Active Directory style PDC.

Having a domain controller on a network allows you to define one set of user accounts. When turned on, Windows workstations present a login prompt allowing users to login to the domain with any of those user accounts at any machine.

Roaming user profiles provide the same Windows profile to users for each account whichever machine they login on. The Windows profile includes their or the system administrator's customisation of their Windows and applictions' environment, their desktop and Start Menu shortcuts, etcetera.

Users have access to a private Home directory and any number of directories shared between some or all other users.

Printers are setup once and available to all users.

For other Debian 3.1 Sarge server options see 'Server Setup with Debian 3.1 'Sarge''.

This guide does not provide an upgrade path from our Samba 2.2 domain controller on Debian 3.0 Woody document, available at http://thegoldenear.org/toolbox/unices/samba/samba-setup.html. This guide assumes you are installing from scratch.

Notable changes to this document

0.8.10 - 6 March 2008

0.8.8 - 4 March 2008

Some Samba 3 Theory

Domain administration users, rights, groups and relative identifiers

"When first installed, Microsoft Windows NT4/200x/XP are pre-configured with certain User, Group, and Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued integrity of operation. Samba must be provisioned with certain essential Domain Groups that require the appropriate RID value. When Samba-3 is configured to use tdbsam the essential Domain Groups are automatically created. It is the LDAP administrators' responsibility to create (provision) the default NT Groups." - 'Chapter 12. Group Mapping: MS Windows and UNIX - Advanced Configuration': http://www.samba.org/samba/docs/man/Samba3-HOWTO/groupmapping.html

"Be sure to map each [Windows] Domain Group to a UNIX system group. That is the only way to ensure that the group will be available for use as an NT Domain Group."

Well-Known Entity RID SID Our Unix Group Type domain/local/builtin Purpose Essential for Samba?
Domain Admins 512 S-1-5-<domain>-512 samba-domain-admins Group domain "A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. Yes
Domain Users 513 S-1-5-<domain>-513 samba-domain-users Group domain "A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default." Yes
Domain Guests 514 S-1-5-<domain>-514 samba-domain-guests Group domain "A global group that, by default, has only one member, the domain's built-in Guest account." Yes
Builtin Print Operators 550 S-1-5-32-550 lpadmin Alias builtin manage printers and document queues; cannot add printers No

Delegate administrative privileges as necessary to either a normal user or to groups of users. By default, no privileges and rights are assigned. They must be created manually.

The smb.conf setting that relates to this is enable privileges = yes.

Available privileges

"The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX." Samba has these privileges available for us to use:

SeAddUsersPrivilege
"This right determines whether or not smbd will allow the user to create new user or group accounts via such tools as net rpc user add or NT4 User Manager for Domains."

SeDiskOperatorPrivilege
"Accounts that possess this right will be able to execute scripts defined by the add/delete/change share command in smb.conf file as root. Such users will also be able to modify the ACL associated with file shares on the Samba server."

SeMachineAccountPrivilege
"This right controls whether or not the user can join client machines to a Samba-controlled domain."

SePrintOperatorPrivilege
"This privilege operates identically to the printer admin option in the smb.conf file (see section 5 man page for smb.conf) except that it is a global right (not on a per-printer basis). Eventually the smb.conf option will be deprecated and administrative rights to printers will be controlled exclusively by this right and the security descriptor associated with the printer object in the ntprinters.tdb file."

SeRemoteShutdownPrivilege
"Samba provides two hooks for shutting down or rebooting the server and for aborting a previously issued shutdown command. Since this is an operation normally limited by the operating system to the root user, an account must possess this right to be able to execute either of these hooks."

SeTakeOwnershipPrivilege
This right permits users to take ownership of files and directories.

Further Reading

The Official Samba-3 HOWTO and Reference Guide - Chapter 12. Group Mapping: MS Windows and UNIX: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html.

The Official Samba-3 HOWTO and Reference Guide - Chapter 13. Remote and Local Management: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id2572033

The Official Samba-3 HOWTO and Reference Guide - Chapter 15. User Rights and Privileges: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html

Well-known security identifiers in Windows operating systems http://support.microsoft.com/kb/243330.

Creating user accounts

Samba 2.2's smbpasswd has been replaced by net, which is more efficient because it creates both the Samba and Unix accounts.

The syntax for creating a user account is this:
net rpc user add <username> -S <server hostname> -U <user to connect as>

The syntax for setting a password for the user account is this:
net rpc user password <username> "<password>" -U <user to connect as>

Note that the net command can be used from any Unix machine, not just from the Samba server console, by including the option -S <server name> (and presumably also from any Windows command-line with a slightly different syntax?)

WINS

Where NetBIOS over TCP/IP is enabled on the client, a WINS server is highly recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. We make the Samba server the WINS server, through the use of the smb.conf settings wins support and name resolve order. You should only use this if this is the only WINS server; if there are Windows servers make one of them the WINS server instead.

WINS is the only means of name resolution for NetBIOS clients on different subnets.

On the client, you need to define the WINS server address and disable LMHOSTS in the TCP/IP properties section.

Disk Partitions

These partition sizes are for those sections that differ from our standard server partition sizes as described in our respective Debian server document.

Partition No. Partition type Size Mount point File system Usage
5 logical 5GB - 7GB /usr ext3 software packages for deployment, possibly Windows for deployment, Autopatchers, any Windows programs that run from the server. If you put things like Adobe CS there you may want even more space.
9 logical whatever is appropriate /home ext3 Windows and Unix user home directories, Windows user profiles

The Samba Domain Controller

Packages

Install them with this command: aptitude install samba samba-doc smbclient.

smb.conf

Replace the existing Samba configuration file /etc/samba/smb.conf with this:

#===============================================================
# smb.conf
# Samba 3.0.x configuration file for Primary Domain Controller (PDC)
# File, print and domain server running on Debian 3.1 Sarge.
# From http://thegoldenear.org/toolbox/unices/
# Licence: GNU General Public License version 3 or later

# Version: 0.6.4

#===============================================================


#===============================================================
# NOTE: After modifying this file run the command "testparm" to
# check you've not made any basic syntactic errors.
#===============================================================


#======================= Global Settings =======================

# Changelog

# 0.6.6 - 6 March 2008
# - Added 'write list = @<ORGANISATION>-staff' to [shared] (same as Unix permissions)
# - Removed [netlogon] 'writable = yes'. It was redundant because the default is 'read
# only = yes' and we override it for some people with 'write list = @samba-domain-admins'
# - Swapped [homes] 'writable = yes' for 'read only = no' which means the same thing
# 0.6.4 - 4-march-2008 - [windows-admin] removed, now requires adding separately
# 0.6.3 - 27-sept-2007 - commented out 'invalid users = root', which we recommended anyway, because we 
# haven't gotten the winadmin account to work fully instead
# 0.6.2 - 16-aug-2007 - Removed '-r' from 'delete user script' so when a user account is removed
# files in the user's home directory aren't deleted
# 0.6.1 - 22-july-2007 - removed '[install]' section for Unattended as it's redundant
# Changed 'server string' from 'Samba Primary Domain Controller' to 'Domain Controller'
# 0.6.0 - 16-feb-07 - added wins support = yes to massively speed up NetBIOS name resolution.
# Changed name resolve order from default of lmhosts host wins bcast to test of wins host bcast
# 0.5.5 - 7-nov-06 - changed samba-print-operators group to lpadmin;
# Replaced @samba-domain-admins in printing section with lpadmin. 


[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
# (Note there's a maximum length to this, somewhere < 14)
   workgroup = <ORGANISATION>

# server string is the equivalent of the NT Description field
   server string = Domain Controller



# Windows Internet Name Serving (WINS) Support Section:

# This machine is the WINS server.
# If you want another machine to be the WINS server use 'wins server = <IP address>'.
wins support = yes

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
# 1. WINS
# 2. Unix's hosts (/etc/hosts), NIS (/etc/nsswitch.conf) or DNS (/etc/resolv.conf)
# 3. broadcast
name resolve order = wins host bcast

# Workstations will set their time by this server
# (by using a command such as net time \\server /set /yes)
time server = yes

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 10

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Require a Unix account in this server for every user.
   security = user

# Provide logon scripts, home directories, etc as well as authentication
   domain logons = yes

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

# Adhere to the PAM's account and session restrictions
   obey pam restrictions = yes

# On some systems the default guest account "nobody" may not be able to print.
# Default is nobody
guest account = nobody

# Beware of this, you'll need a Domain Admin user other than root to create
# machine accounts when this is set to root. Debian defaults to using this.
# We haven't yet gotten it to work without so are disabling it for now.
#invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync (Debian-specific)
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes


####### Scripts for interfacing with Unix #######

# To add a user
add user script = /usr/sbin/useradd -m "%u"

# To delete a user
delete user script = /usr/sbin/userdel "%u"

# To add a group, i.e. net rpc add group
add group script = /usr/sbin/groupadd "%g"

# To delete a group
delete group script = /usr/sbin/groupdel "%g"

# To add users to groups, i.e. net rpc group addmem
# (why don't we use useradd?)
add user to group script = /usr/sbin/usermod -G "%g" "%u"

# To delete a user grom a group
delete user from group script = /usr/bin/gpasswd -d "%u" "%g"
# Note usermod and gpasswd are in different directories

# A Windows User has a primary group in addition to the auxiliary groups.
# This script sets the primary group in the Unix user datbase when an administrator 
# sets the primary group from the Windows user manager or when fetching a SAM with 
# net rpc vampire.
set primary group script = /usr/sbin/usermod -g "%g" "%u"



########### For domain workstations ###################

# When adding a machine to the domain, this creates the necessary Unix machine account.
# This will require a corresponding Unix group called 'machines' creating.
# "This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd."
  add machine script = /usr/sbin/useradd -g machines -c "Samba Machine" -d /dev/null -s /bin/false '%u'

  logon drive = H:
  logon path = \\%L\profiles\%U
  logon script = netlogon.bat



######## File sharing ########

# Name mangling options
   preserve case = yes
   short preserve case = yes

############ Misc ############

# Support for the Windows privilege model. This model allows
# certain rights to be assigned to a user or group SID via either
# net rpc rights or one of the Windows user and group manager tools.
enable privileges = yes

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# Domain Master specifies Samba to be the Domain Master Browser.
  local master = yes
  domain master = auto ; When domain logons = Yes the default setting for this parameter is Yes
  preferred master = yes
  os level = 255


#======================= Share Definitions =======================

#------------ System disk shares ---------------
# Samba defaults to:
# read only = yes

[homes]
# 'logon drive' won't work without this section

# If you want to set the home directory somewhere other than the Unix home:
# path =

   volume = HOME
   comment = Home Directories
   read only = no

# Don't display a 'homes' share as well as the '%U' share
   browseable = no

# Only the owner can read/write their files. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Only the owner can navigate into their directory. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700


[netlogon]
# The netlogon directory for Domain Logons
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   share modes = no
   browseable = no
   write list = @samba-domain-admins
   # if you want to use root with this setting then make sure you don't have 'invalid users = root'
   force create mode = 664 ; owner and group can read/write, others can read

[profiles]
   comment = Windows user profile directories
   path = /home/samba/profiles
   read only = no
   browseable = no
   create mask = 0600 ; rwx-xxx-xxx - only the user can read/write files
   directory mask = 0700 ; rwx-xxx-xxx - directories must be executable if they are to be navigated


#------------ Other disk shares ---------------

[programs]
# To install application programs to and keep utilities in
# Map P: to this if you need to use it.
   comment = Windows programs
   path = /usr/windows-programs
   read only = yes
   browseable = yes
   write list = @samba-domain-admins
   # if you want to use root with this setting then make sure you don't have 'invalid users = root'

[shared]
   comment = shared space for everyone
   path = /home/<ORGANISATION>/shared
   read only = no
   browseable = yes
   write list = @<ORGANISATION>-staff

   # Match Unix permissions set on files
   force create mode = 0660

   # Match Unix permissions set on the directory
   force directory mode = 2770

Change the following in smb.conf to suit your situation:

Restart Samba:
/etc/init.d/samba restart

Enable root access

Give root a Samba password:
smbpasswd -a root
(TODO: (are we sure this is necessary, that there isn't already one? does it instead just need enabling, with -e?)

Directories

Create a container for a few Samba things:
mkdir /home/samba
(TODO: what permissions should we set? it defaults to being owned by root.staff (rwxr-sr-x))

For Windows user profiles:
mkdir /home/samba/profiles
(TODO: what permissions should we set?)

For backups of Windows user profiles:
mkdir /home/samba/profiles-backup
(TODO: what permissions should we set?)

Machine Account

Add a group into which new machines are added:
addgroup machines

Rights, groups and relative identifiers

If you want, you could create a domain administrator account (i.e. make root the administrator) but you don't need to, instead we create domain administration groups. If you did want to you would do it this way:

Create Unix groups (you can't mirror the names used by Windows as we can't create groups with spaces in their names):
addgroup --gid 512 "samba-domain-admins"
addgroup --gid 513 "samba-domain-users"
addgroup --gid 514 "samba-domain-guests"

Map these groups to the respective Windows groups that already exist in this version of Samba:
net groupmap modify ntgroup="Domain Admins" unixgroup="samba-domain-admins" type=domain -U root
net groupmap modify ntgroup="Domain Users" unixgroup="samba-domain-users" type=domain -U root
net groupmap modify ntgroup="Domain Guests" unixgroup="samba-domain-guests" type=domain -U root
(TODO: should Domain Guests instead be unixgroup="nobody"?)

Assign appropriate privileges to these groups - we do so here only for Domain Admins, Print Operators are made in the printing section later:
net rpc rights grant "Domain Admins" \
SeMachineAccountPrivilege \
SePrintOperatorPrivilege \
SeAddUsersPrivilege \
SeRemoteShutdownPrivilege \
SeDiskOperatorPrivilege \
-U root

Create winadmin user account

Members of the group 'Domain Admins' are granted administrator privileges within the domain and on the workstation when they login to the domain from Windows.

The first account to add is our Windows administrative user 'winadmin':
net rpc user add winadmin -U root

Set winadmin's password:
net rpc user password winadmin "<password>" -U root

There is a bug where by accounts created with net rpc user add are disabled and need enabling, so do that:
smbpasswd -e winadmin

Samba will automatically create the Windows profile directory, setting the user whose profile directory it is the owner, and setting the group to users. However with our current smb.conf settings you don't have permission to save your profile there when you logout, so the smb.conf settings need to be changed to deal with this (however when you log in again it's ok.). For now we do this:

To add users to a Windows group we use the syntax 'net rpc group addmem "<Windows group>" <username>'. It uses the smb.conf setting add user to group script. Using this, make winadmin a Domain Administrator:
net rpc group addmem "Domain Admins" winadmin -U root

Henceforth you should in theory use the winadmin account, rather than the root account, but I haven't gotten this to work yet.

Create user accounts

Now create accounts for any users you have, using the following sequence of commands:
net rpc user add <username> -U root
net rpc user password <username> "<password>" -U root
smbpasswd -e <username>
mkdir /home/samba/profiles/<username>
chown <username> /home/samba/profiles/<username>

If they're to have access to shared files on S: (/home/samba/<organisation>/shared) add them to the organisation's group, otherwise they only have their home directory (H:):
adduser <username> <organisation>-staff

Reference: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#sbeuseraddn

Note that if you choose to use the above to write a script to create accounts for your specific users (which is more efficient and less error prone), then to save manually entering the password each time, append commands that use '-U root' with '-U root%<password>' instead.

Organisational Groups and Sub-groups

Create an organisational group, i.e.:
addgroup <organisation>-staff

Create any required sub-groups, i.e.: addgroup <sub group name>

Shared directories

Create a container for shared directories for your specific organisation:
# mkdir /home/<organisation>

Create a shared directory for everyone within your specific organisation:
# mkdir /home/<organisation>/shared

Set the owner of this shared directory to winadmin so that they have access:
# chown winadmin /home/<organisation>/shared

Change the group membership of the directory to that of the organisational group:
# chgrp <organisation>-staff /home/<organisation>/shared

Change permissions so that owners and those in the same group can read, write and execute; new files and directories created within the shared directory inherit the group ownership from the containing directory (Corresponding smb.conf settings: force create mode = 0660 and force directory mode = 2770):
# chmod 2770 /home/<organisation>/shared

Create any required shared directories for any sub-groups:
# mkdir /home/<organisation>/<sub group>

Set the owner of any sub-group to that of the sub-group:
# chgrp <sub group> /home/<organisation>/<sub group>

(TODO: are there other permissions that need to be set for a sub-group directory? chmod 2770 /home/<organisation>/<sub group>?)

Windows Logon script

Logon Script Directory

Create directory:
# mkdir /home/samba/netlogon

Set permissions so that anyone can access the directory:
# chgrp samba-domain-admins /home/samba/netlogon
# chmod 2777 /home/samba/netlogon

Logon Script File

Here is an example logon script:

rem ###########################################
rem NETLOGON.BAT - Windows logon script
rem version 0.9.1
rem
rem remember this file needs DOS CR/LF to work
rem ###########################################
rem Change Log
rem 0.9.1
rem - fix for Windows XP creating desktop.ini files, especially the startup one
rem 0.9.0
rem - Commented out P: as it's useful but we don't currently use it
rem - removed creation of D:\winnt which was long ago deprecated
rem - remove creation of D:\mozilla as we nowadays use Firefox
rem - replaced creation of D:\nero with D:\infrarecorder
rem 0.8.0 - 5-Nov-2006
rem - changed 'file-server' to -'server'
rem - changed creation of temp partition directories for applications from 'E:' to 'D:' / '%TEMP%' - NOT SURE YET
rem - added Firefox temp directory
rem 0.7.1 07-July-2006 - removed 'audition'
rem 0.7.0 13-Dec-2003
rem  - added a new user TEMP location of e:\%username%\windows and e:\windows
rem  - changed 'cooledit' directory name to 'audition' to reflect that program's name change
rem  - removed creation of 'powerarchiver' directory as we use 7-Zip exclusively
rem 0.6.5 08-April-2003
rem  - renamed 'server' to 'file-server'
rem  - removed '/PERSISTANT:YES'
rem -------------------------------------------

rem net use P: \\server\programs
rem (only admins group can write there in our Samba configuration)

rem make mappings to shared areas, i.e.:
rem H: is made by smb.conf
net use S: \\server\shared

rem sync the workstation's time to that of the file-server
net time \\server /set /yes

rem make connections to any printer(s):
rem net use LPT1:

rem create temporary directories for %USERNAME% on TEMP partition
rem (remove any for applications not used on your system):
if not exist "D:\%username%" md "D:\%username%"
if not exist "D:\%username%\windows" md "D:\%username%\windows"
if not exist "D:\%username%\ie" md "D:\%username%\ie"
if not exist "D:\%username%\ie\Temporary Internet Files" md "D:\%username%\ie\Temporary Internet Files"
if not exist "D:\%username%\firefox" md "D:\%username%\firefox"
if not exist "D:\%username%\mozilla" md "D:\%username%\mozilla"
if not exist "D:\%username%\java" md "D:\%username%\java"
if not exist "D:\%username%\nero" md "D:\%username%\nero"
if not exist "D:\%username%\audacity" md "D:\%username%\audacity"

:: fix for Windows XP which is creating these files, especially the startup one
attrib +h "%USERPROFILE%\Start Menu\desktop.ini"
attrib +h "%USERPROFILE%\Start Menu\Programs\desktop.ini"
attrib +h "%USERPROFILE%\Start Menu\Programs\startup\desktop.ini"
attrib +h "%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini"

Prepare it in one of two ways:

Windows Programs Installed On Server (if any)

Create directory:
mkdir /usr/windows-programs

Set permissions:
chgrp samba-domain-admins /usr/windows-programs
chmod 2775 /usr/windows-programs
(TODO: should this be set in smb.conf too?)

Actually Installing programs on the Server

TODO... but I never do this these days anyway...

Directly Copying Programs to the Server

TODO... but I never do this these days anyway...

References

The Official Samba-3 HOWTO and Reference Guide: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/;

Samba documentation site: http://wiki.samba.org/

This has some info on Windows XP's differences when joining a domain: http://www.wlug.org.nz/SambaAsPDC

Samba 3 release notes: http://www.samba.org/samba/history/samba-3.0.0.html

HOWTO implement Samba as your PDC: http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC

For smb.conf settings see the man page (use man smb.conf) or http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html.

Samba-3 by Example - Practical Exercises in Successful Samba Deployment - John H. Terpstra: http://us4.samba.org/samba/docs/man/Samba-Guide/

Windows Workstations and the Samba Domain Controller

Requirements

The Windows operating systems that will work in this environment are Windows 2000 Professional and Windows XP Professional. Windows XP Home, by design, will not join a domain. I don't have experience of it but I _suspect_ Windows Vista Business and Windows Vista Ultimate will work; Windows Vista Home Basic and Windows Vista Home Premium will not.

Client for Microsoft Networks.

NetBIOS over TCP/IP.

Disable LMHOSTS.

Set the WINS server address - this is most efficiently done by specifying the WINS server on your DHCP server so workstations get it automatically but otherwise you can set it manually
(Note that WINS requires the 'remote registry service' be running in order to function)

Add Machines to the Domain

You can do this during Windows installation. If instead you already have Windows installed, follow this procedure:

Login to the local machine as an administrative user.

Windows key + Pause/Break; or Start → Control Panel → System →
Network Identification → Properties → Member of → Domain - enter the domain name and choose 'OK'.

You should be prompted for a username and password with which to authenticate with the server. Enter the root username and password - Note: we would prefer to use the winadmin account for this but currently this isn't working.

Now you can login to the domain with user accounts you've already created. Windows will automatically create a user profile on the workstation and copy it to the server when you log out. This same profile is then available from any other machine loggingin to the domain.

Login

When you login from a workstation, Windows will automatically create the user profile for you.

Windows Configuration

Our TWEAK tool incorporates most of the following settings, and more worthwhile settings for Windows workstations.

Synchronised time. We want the time on workstations to be synchronised with time on the server. The net time \\server /set /yes in the logon script and the time server = yes in smb.conf facilitate this but Restricted / Limited users aren't allowed to change the time in Windows. To change permissions so that all authenticated users are allowed to change the time:
Control Panel → Administrative Tools → Local Security Policy → Local Policies → User Rights Assignment → Change the system time → double-click → Add → choose Authenticated Users → Add → OK → OK
(Note: does anyone know the corresponding registry setting?)

Remove the Recycle Bin from the desktop. In an environment where people save files on the server it leads people into a false sense of security to have a visible recycle bin because deleting a file from the server just deletes it. Windows doesn't copy deleted files across the network to the local recycle bin.
To remove the recycle bin, remove this registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\Namespace\{645FF040-5081-101B-9F08-00AA002F954E}

Log users off when their roaming profile fails:
Group Policy → Local Computer Policy → Computer Configuration → Administrative Templates → System → Logon → Log users off when their roaming profile fails
This is the corresponding registry setting:
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\ProfileErrorAction = 00000001 (DWORD)

Domain Account Password Change

Users can change their domain account password through normal means on their Windows workstation, such as ctrl+alt+del → Change Password.

Mac OS X Workstations and the Samba Domain Controller

In theory Mac OS X workstations should be able to login to the domain. I know no more than that. Mac OS X includes Samba. The later the version of OS X you have the more likely this will work as the version of Samba included is constantly updated.

Printing

CUPS

Packages

CUPS Print Queues

Setup CUPS print queues as described in 'Server Setup with Debian GNU/Linux 3.1 'Sarge''

CUPS Permissions

If Samba runs on the same host as CUPS, you only need to allow localhost to print. If you want to run something like cupsaddsmb from a remote computer you'll need to set permissions accordingly in the <Location /printer> section of cupsd.conf. Similarly if Samba and CUPS run on different machines you'll need to make sure the Samba host gets access to printing on CUPS.

If you need to, setup CUPS sharing / serving as described in 'Server Setup with Debian 3.1 'Sarge''.

Samba

smb.conf

(We do not setup Samba for Raw CUPS printing support, where specific drivers for each printer are installed on each workstation and they print as though to a direct printer, to a raw queue; where CUPS does not try to convert documents, just sending them on in their raw, binary, form to the printer. This would require 'application/octet-stream' in /etc/cups/mime.types; 'application/octet-stream application/vnd.cups-raw 0 -' in /etc/cups/mime.convs; 'raw queue' and 'client driver' settings in smb.conf. We don't do this because instead we have simplified driver installation on clients; the risk of using buggy drivers in NT kernel mode compared with a very well tested stable PostScript driver; the ability to get statistics or apply quotas on printing.

This part goes in the [global] section of the Samba configuration file /etc/smb.conf:

########## Printing ##########

# Also see [printers], [print$] and any printer-specific shares further on

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# CUPS printing. CUPS should take over the print jobs for this share.
# See also the cupsaddsmb(8) manpage in the cupsys-client package.
# With 'printing' enabled, any (otherwise manually) set print command in smb.conf is ignored.
# ('printcap' is a synonym for 'printcap name')
   printing = cups
   printcap name = cups

# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer properties
   printer admin = root, @lpadmin

This part goes at the bottom of the [global] section, before the [homes] section, of the Samba configuration file /etc/smb.conf:

#------------ Printer shares ---------------
[printers]
# Printing defaults for all printers unless they're specified explicitly
# Printing for authenticated users, not guests.
# If you want unauthenticated printing set 'guest ok = yes / public'
   comment = All Printers
   printable = yes
   writable = yes
   browseable = yes
   public = yes
   # public should probably be no

   # Incoming spool directory.
   # Print jobs go from here to spool directory of Unix print subsystem, i.e. /var/spool/cups.
   # This directory needs to be created.
   path = /var/spool/samba
   create mode = 666 ; this is liberal so anyone can print; may be better to tighten it and set a group on the directory

   printer admin = @lpadmin


[print$]
# Windows printer driver location.
# Windows clients look for this share name as a source of downloadable printer drivers.
   comment = Printer Drivers
   path = /var/lib/samba/printers
   # location of drivers; make sure it's writable by users in write list and read/executable by others.
   browseable = yes
   read only = yes
   guest ok = no
   # Allow remote administration of Windows print drivers.
   # For users to use cupsaddsmb, they need to be represented in this write list.
   write list = root, @lpadmin
   # if you want to use root with this setting then don't have 'invalid users = root' in [global]

Rights, groups, relative identifiers and domain administrators

Counter to the other Unix groups, where we create a new group with a corresponding name and group ID to the Windows group, for print operators we use the already existing and functionally corresponding Unix group lpadmin. This will additionally allow Print Operators to administer through the CUPS web interface.
Map the Windows builtin Print Operators group to the Unix lpadmin group:
net groupmap add ntgroup="Print Operators" unixgroup="lpadmin" sid="S-1-5-32-550" type=builtin -U winadmin

Assign appropriate privileges to the group:
net rpc rights grant lpadmin SePrintOperatorprivilege -U winadmin

Create print administrators

The syntax to add people to the group is:
net rpc group addmem "Print Operators" <username> -U winadmin

Add our Windows administrator account to the print operators group:
adduser winadmin lpadmin.
(When using net rpc group addmem "Print Operators" <username> -U winadmin people don't get added to the lpadmin Unix group and so can't use the CUPS web interface - can they use the Windows interface instead?)

Can we add a group of users to the Print Operators group? Unix doesn't support nested groups (a group being a member of another group); supposedly Samba supports nested groups if you have winbind and NSS winbind (libnss_winbind) installed. (Adduser and net rpc group addmem, without winbind installed, don't complain when you add one group to another). I don't yet see how you can add a group of users to the Print Operators group.

How do we additionally allow users to be able to use the CUPS web interface? Adding users to the Samba/Windows Print Operators group doesn't add them to the Unix lpadmin group. I presume the Print Operators group works when the user is using the Windows printer administration interface, where upon it maps through to lpadmin. Because of this if you want users to be able to use the CUPS web interface you need to additionally add them to the Unix lpadmin group (can this be automated?)

To additionally allow users to use the CUPS web interface:
adduser <username> lpadmin

Now add any other users you want to be able to administer printers through either Windows or the CUPS web interface, one-by-one.

Directories and Permissions

Create the Samba incoming print job directory:
mkdir /var/spool/samba

Set liberal permissions on the directory:
chmod 0777 /var/spool/samba
(we could set the group ID on this directory instead)
(corresponding smb.conf setting: [printers] create mode = 666)

Create the Windows printer driver directory (cupsaddsmb expects to find them here):
mkdir /usr/share/cups/drivers.

Set permissions on that directory such that it is readable by the user you're using cupsaddsmb with (probably a member of the Print Operators / lpadmin group):
chgrp lpadmin /usr/share/cups/drivers -R
chmod g+w /usr/share/cups/drivers -R

make sure the Windows driver directory (and below) is writable by the users specified by the smb.conf write list directive; (and readable and executable by all users, but this is the default):
chgrp lpadmin /var/lib/samba/printers -R
chmod g+w /var/lib/samba/printers -R

Windows Drivers

CUPS drivers for Windows

Go to the software section of the CUPS web site at http://www.cups.org/windows/software.php and download the source package. Extract these files from the package:

Copy the driver files there: cp cups6.inf cups6.ini cupsps6.dll cupsui6.dll /usr/share/cups/drivers

Adobe drivers for Windows

This is the PostScript driver. This is not the PPD file. We recommend those from Adobe because the Microsoft ones can be hard to find. Get the 'Adobe Universal PostScript Windows Driver Installer' from http://www.adobe.com/support/downloads/detail.jsp?ftpID=1500. There are downloads available for multiple spoken languages. At time of writing this is version 1.0.6. The English download is called winsteng.exe.
Extract it from the current directory to the temp directory with 7-zip (first, install the p7zip-full package): 7z x winsteng.exe -o/tmp/adobe-windows-postscript-drivers.

It includes many files for various versions of Windows, these are the files for Windows 2000 and XP:

You want to choose files from those marked '*'. We don't want all the files because some equivalents are instead drawn from the CUPS drivers for Windows. Note that the Windows 2000 and XP files are not identical, the DLL files differ, so we recommend using the Windows 2000 drivers so you can cope with clients with either operating system, because you can only choose one of these two sets of drivers and "NT5 drivers are always NT5.1 compatible (NT 5.1 drivers are very rarely NT5 compabtible, but they can be".

Copy the driver files there:
cd /tmp/adobe-windows-postscript-drivers/Win2000
cp PSCRIPT.NTF PSCRIPT.HLP PSCRIPT5.DLL PS5UI.DLL /usr/share/cups/drivers

cupsaddsmb needs the driver filenames to be lowercase, so convert them:
rename 'y/A-Z/a-z/' /usr/share/cups/drivers/*

CUPS drivers

PPD files for each non-PostScript printer

Make sure the PPD file is in the /usr/share/cups/model directory (not a sub-directory below there).

These you should have gotten when you configured CUPS earlier when following the document 'Server Setup with Debian 3.1 'Sarge''. If the PPD file isn't available in a Debian package then see if it can be download from http://linuxprinting.org/printer_list.cgi.

PPD files for each PostScript printer

Make sure the PPD file is in the /usr/share/cups/model directory (not a sub-directory below there).

These you should have gotten when you configured CUPS earlier when following the document 'Server Setup with Debian 3.1 'Sarge''. If the PPD file isn't available in a Debian package then see if it can be download from http://linuxprinting.org/printer_list.cgi and if not from there try the printer's manufacturer.

Enabling Windows drivers

Note: these instructions currently only cover Windows 2000/XP/2003 clients. It wouldn't take much to add printing support for Windows 95/98/Me by choosing additional driver files from Adobe (not Microsoft); also bear in mind the CUPS drivers themselves are not available for Windows 95/98/Me so the Adobe (not Microsoft) portion must be used in place of them.

Use cupsaddsmb to automate transferring PostScript driver files and each printer's PPD file from CUPS to Samba's [print$] share (from where Windows expects to find them when using Point'n'Print (Point'n'Print means automatic download from the server and installation on the workstation)) and configure Samba using 'rpcclient adddriver' and 'rpcclient setdriver'. cupsaddsmb requires security = user in the smb.conf [global] section.

Export a specific printer (in verbose mode so we can see if it failed at anything):
cupsaddsmb -U winadmin -v <printer>

Export all known printers (in verbose mode so we can see if it failed at anything): cupsaddsmb -U winadmin -v -a

Here's an example of cupsaddsmb in use:

server:/usr/share/cups/drivers# cupsaddsmb -v lamlash -U winadmin
Password for winadmin required to access localhost via SAMBA:
Running command: smbclient //localhost/print\$ -N -U'winadmin%winadmin' -c 'mkdir W32X86;\
put /var/spool/cups/tmp/454a0f9a251b7 W32X86/lamlash.ppd;put /usr/share/cups/drivers/ps5ui.dll W32X86/ps5ui.dll;\
put /usr/share/cups/drivers/pscript.hlp W32X86/pscript.hlp;put /usr/share/cups/drivers/pscript.ntf W32X86/pscript.ntf;\
put /usr/share/cups/drivers/pscript5.dll W32X86/pscript5.dll'
Domain=[ORGANISATION] OS=[Unix] Server=[Samba 3.0.14a-Debian]
NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
putting file /var/spool/cups/tmp/454a0f9a251b7 as \W32X86/lamlash.ppd (946.0 kb/s) (average 946.0 kb/s)
putting file /usr/share/cups/drivers/ps5ui.dll as \W32X86/ps5ui.dll (2540.0 kb/s) (average 1956.8 kb/s)
putting file /usr/share/cups/drivers/pscript.hlp as \W32X86/pscript.hlp (541.4 kb/s) (average 1441.1 kb/s)
putting file /usr/share/cups/drivers/pscript.ntf as \W32X86/pscript.ntf (1402.3 kb/s) (average 1409.6 kb/s)
putting file /usr/share/cups/drivers/pscript5.dll as \W32X86/pscript5.dll (1259.1 kb/s) (average 1357.1 kb/s)

Running command: rpcclient localhost -N -U'winadmin%winadmin' -c 'adddriver "Windows NT x86" \
"lamlash:pscript5.dll:lamlash.ppd:ps5ui.dll:pscript.hlp:NULL:RAW:pscript.ntf"'
Printer Driver lamlash successfully installed.

Running command: rpcclient localhost -N -U'winadmin%winadmin' -c 'setdriver lamlash lamlash'
Succesfully set lamlash to driver lamlash.

References

Chapter 22 of The Official Samba-3 HOWTO and Reference Guide, CUPS Printing Support - Advanced Configuration, describes in detail every aspect of CUPS support in Samba and how it works that you will likely want to know, in a very readable manner that enables you to have a complete understanding of the topic from a system administrator's standpoint: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html#id2645046

Windows and the Print Server

Windows printer driver settings

Configure PostScript drivers as administrator before users add the printer for themselves.

Note: don't get the following menu options confused with the per-user settings in Start → Settings → Printers → right-click on the printer → Printing Preferences or Start → Settings → Printers → right-click on the printer → Properties → General → Printing Preferences.

Start → Settings → Printers → right-click on the printer → Properties → Advanced →

Users already connected to the printer may need their own comparitive settings changing in ?.

From http://samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html#cups-avoidps1.

Windows software deployment

Windows Administration Area

Respective smb.conf settings. You need to add these at the bottom of smb.conf:

[windows-admin]
   comment = Windows package deployment
   path = /usr/windows-admin
   read only = yes
   browseable = yes
   write list = @samba-domain-admins
   # if you want to use root with this setting then make sure you don't have 'invalid users = root'
   force create mode = 0660 # New files created here are forced to have these permissions
   force directory mode = 2770 # New directories created here are forced to have these permissions

Restart Samba:
/etc/init.d/samba restart

Create a directory for software deployment tools:
mkdir /usr/windows-admin

Make the directory a member of the group samba-domain-admins / Windows Domain Admins, rather than root:
chgrp samba-domain-admins /usr/windows-admin

Allow the directory to be writable by any members of the same group, rather than only readable:
chmod g+w /usr/windows-admin

When new files are created here we want them to be forced to be a member of the samba-domain-admins / Windows Domain Admins group:
chmod g+s /usr/windows-admin

Make a directory for administration tools
mkdir /usr/windows-admin/tools

Allow the directory to be writable by any members of the same group, rather than only readable:
chmod g+w /usr/windows-admin/tools

WPKG - Windows Package Management

http://wpkg.org

Create a directory for WPKG:
mkdir /usr/windows-admin/wpkg

Create a directory for WPKG packages:
mkdir /usr/windows-admin/wpkg/packages

Create a directory for tools to use with WPKG package management:
mkdir /usr/windows-admin/wpkg/tools
We keep things in here such as unzip.exe which is used when installing Firefox and Thunderbird extensions

Allow these directories to be writable by any members of the same group, rather than only readable:
chmod g+w /usr/windows-admin/wpkg -R
(If you'd created these directories by connecting through Samba this would have already been the case but we're connecting here through the usual Unix channel)

Maintenance

"All persistent tdb files should be regularly backed up. Use the tdbbackup utility to backup the tdb files. All persistent tdb files must be preserved during machine migrations, updates and upgrades."

Troubleshooting

Techniques for troubleshooting Samba permissions issues: 'Debugging Samba: Deciphering Access Denied by Jack Loftus' - http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1270003,00.html

Check you haven't made any basic syntactic errors in smb.conf: testparm.

Show open ports and whether they listen on just localhost or for remote connections: netstat -l -t -p

Users

List users: net rpc user (optionally giving user to connect as)

Info on a particular user: net rpc user info <name>

List a user's properties: pdbedit -c -u <username>

List users in a particular group, for example Domain Admins: net rpc group members "Domain Admins" -U <user to connect as>

List all users, including machine accounts, giving extended information: pdbedit -Lv

List users in domain: wbinfo -u

List groups in domain: wbinfo -g

Test whether a particular user can connect to a Samba share: smbclient \\\\server\\shared -U <username>

Delete a user account: net rpc user delete <username>

If someone cannot access a shared directory, check they're in the correct Unix group, i.e. <organisation>-staff, with cat /etc/group

Groups

List current group map: net groupmap list.

To delete a group mapping:
net groupmap delete ntgroup="<Windows group name>" -U winadmin.
If you mistakenly have more than one with the same name but different SIDs then you instead use:
net groupmap delete sid="<SID>" -U winadmin

Logging

tail -f /var/log/samba/log.<machine name>

tail -f /var/log/syslog

Miscellaneous

"Check if Samba 'sees' the printer

This way:
# rpcclient transmeta -N -U'root%xxxx' -c 'enumprinters 0'|grep ir85wm

Or this way:
# rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm'
cmd = getprinter ir85wm
flags:[0x800000]
name:[\\transmeta\ir85wm]
description:[\\transmeta\ir85wm,ir85wm,DPD]
comment:[CUPS PostScript-Treiber for Windows NT/200x/XP]"

Gotchas

Beware what gets into the part of your Windows user profile that is transferred across the network each time you login and logout. For example:

Bugs in this Document

Can't create Print Operators with net command

It takes a couple of minutes before a new Samba user account becomes usable, before then it is claimed it is disabled.
When use 'smbclient \\\\server\\shared -U pete' it says "session setup failed: NT_STATUS_ACCOUNT_DISABLED"
when try to login on workstation it says "Your account has been disabled. Please see your system administrator."

Winadmin can't join a machine to the domain.

We'd rather use the winadmin account for all admin but haven't yet gotten that working. However smbpasswd -e <username> won't work unless you're root because you can't specify other users to run smbpasswd with '-U winadmin' or use it for this kind of operation unless you're root.

We should only disable smb.conf's invalid users = root temporarily to allow us to use the root account to setup the system. Then restart Samba. Turning this back off when you're done.

Bugs in Upstream Packages

http://www.samba.org/samba/docs/man/Samba3-HOWTO/NetCommand.html implies you can create Unix accounts with spaces which you can't:

	"The following demonstrates that	the POSIX (UNIX/Linux system account) group has been created by calling the 
	add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" interface script:

	root#  getent group
	...
	Domain Admins:x:512:root"

/usr/share/doc/samba-doc/htmldocs/speed.html is referenced but there's no such document atall

smb.conf uses passwd chat and passwd program but I replaced that with pam passwd change = yes to get passwd syncing working

There's no mention in the net man page of net rpc group addmem | delmem

The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) needs to mention this too. You need to include a step before "Once you have extracted the driver files" to say to use p7zip.

(I don't know how to convert to lowercase when using p7zip, as one would use the -L switch with unzip).

bug: what is this on about?: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html#id2645046 Recognizing Different Driver Files
Note
If both the Adobe driver files and the CUPS driver files for the support of Windows NT/200x/XP are presently installed on the server, the Adobe files will be ignored and the CUPS files will be used. If you prefer for whatever reason to use Adobe-only drivers, move away the three CUPS driver files. The Windows 9x/Me clients use the Adobe drivers in any case.

Bug: cupsaddsmb man page in Debian doesn't say if using CUPS driver you still need to get MS drivers and that these need to be gotten from an MS system. The online man page from CUPS does: http://www.cups.org/doc-1.2/man-cupsaddsmb.html.

CUPS should say which Adobe drivers to use if you have both 2000 and XP clients

CUPS Bugs Reported

bug STR #2038: The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) says "The base driver for Windows 2000 and higher is the Microsoft PostScript driver, which is available on any system running Windows 2000 or higher in the %WINDOWS%\SYSTEM32\SPOOL\DRIVERS\W32X86\3 folder." The "%WINDOWS%" location doesn't exist on any version of Windows that I know of. What you mean is %WINDIR%.

bug STR #2039: The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) says "The base driver for Windows 2000 and higher is the Microsoft PostScript driver, which is available on any system running Windows 2000 or higher in the %WINDOWS%\SYSTEM32\SPOOL\DRIVERS\W32X86\3 folder." This directory is empty on Windows XP. If you try to install them using the add printer drivers dialog, there appears to be no such driver available.

bug STR #2040: Trying to download CUPS drivers for Windows, you're presented with a page with options for 'Source Code', and 'Binaries'. The CUPS drivers are mixed up in the source code downloads and the binaries section says see the source code for the binaries. It would be a lot easier to follow if the binaries section had a download package for just the binary drivers.

bug STR #2041: The CUPS drivers for Windows described in the cupsaddsmb man page are cups6.inf, cups6.ini, cupsps6.dll and cupsui6.dll. However the CUPS drivers for Windows include cups6.ppd, for which there's no mention. [(maybe it's the "the "cups" device (essential to print to non-PS printers from CUPS)]

bug STR #2042: include Adobe driver for Windows 2000 and XP. The cupsaddsmb man page (http://cups.org/doc-1.2/man-cupsaddsmb.html) says "However, currently only Windows 2000 and higher is supported by the Microsoft driver, so you will also need to get the Adobe driver to support Windows 95, 98, and Me clients. The Adobe and Microsoft drivers for Windows 2000 are identical."

- It seems the Microsoft driver is too difficult (for me) to find. Adobe have drivers for both Windows 95/98/Me and Windows 2k/XP drivers in the form of the 'Adobe Universal PostScript Windows Driver Installer' (http://www.adobe.com/support/downloads/product.jsp?product=44&platform=Windows) - winsteng.exe. The cupsaddsmb man page says the 95/98/Me drivers are available from Adobe, recomending people use the Microsoft ones for 2000/XP. Please also say that there exists Adobe drivers for Windows 2000/XP and preferably even recommend them rather than the Microsoft ones as they seem simpler to find.

Adobe's description of the driver package is this: "The Adobe Universal PostScript Windows Driver Installer installs the latest version of the AdobePostScript (AdobePS) driver for each supported Microsoft Windows platform:
- AdobePS 4.5.3: Windows 95, Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
- AdobePS 5.2.2: Windows NT 4.0
- PScript 5: Windows 2000 or Windows XP "

Also, when the cupsaddsmb man page describes how to locate the Adobe driver for Windows 95/98/Me, it says to go to http://www.adobe.com. The link used above, http://www.adobe.com/support/downloads/product.jsp?product=44&platform=Windows, provides direct links to drivers for all supported operating systems in all supported languages, so is a better place to link people to than http://www.adobe.com.

bug STR #2043: 7z not unzip for unzipping self-extracting zip files. http://www.cups.org/doc-1.1/sam.html says "If you download the Adobe drivers, use the free unzip software to extract the files from the self-extracting ZIP file containing the drivers;". As far as I can tell the free unzip software doesn't unzip from self-extracting zip files. If it does can you please include in the documentation the switch by which to do so. If it actually doesn't then you should recommend using p7zip instead, i.e. using '7z x winsteng.exe'. On Debian the package name is p7zip-full.

Appendices

Appendix 1 - Upgrading From The Previous Version

Overview Of Differences In Samba 3.0

to be completed...

The Procedure

This document doesn't offer a fail safe method of upgrading from the previous Samba document because of a number of incompatible changes between this version and that one. However if you were to perform such an upgrade, Pete has done this once and this is what he did. This is an upgrade from Debian 3.0 Woody to Debian 3.1 Sarge; Samba 2.2 to Samba 3.0; a partial Roaming Computing System (Windows Edition) 2.0 to Roaming Computing System (Windows Edition) 3.0.

Fallout

Largely unknown at this point, but nothing critical.

Hotplug was installed rather than udev. Debian 4.0 Etch standardises on udev and because it's tricky to upgrade you should replace hotplug with udev before the next major version upgrade.

References

Debian upgrade: http://www.debian-administration.org/articles/96

Debian upgrade: http://glasnost.beeznest.org/articles/109

Samba upgrade: http://samba.osmirror.nl/samba/docs/man/Samba-HOWTO-Collection/upgrading-to-3.0.html#id402604

Upgrading from Samba-2.x to Samba-3.0.23 - Quick Migration Guide: http://samba.osmirror.nl/samba/docs/man/Samba-HOWTO-Collection/upgrading-to-3.0.html#id403904

To Do

Need to read: Sample smb.conf Add Group Script - http://www.samba.org/samba/docs/man/Samba3-HOWTO/groupmapping.html#id2568922

See the comments in here: Debian Administration - Debian, CUPS, Samba... Days of grief: http://www.debian-administration.org/articles/300

This page describes creating Windows profiles automatedly: http://www.hughesjr.com/content/view/26/2/Site_News

Some administration can be done from a Windows workstation rather than on the server. For example, to delete a samba user account: net user <username> /delete /domain

To Do - Printing

Setting up printers on workstations manually

"11. (Optional.) Tickle the driver into a correct device mode.

It is important that you execute this step as a Samba printer admin (as defined in smb.conf). Here is 
another method to do this on Windows XP. It uses a command line, which you may type into the "DOS box" 
(type root's smbpassword when prompted):

C:\> runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry \
	/in /n \\sambaserver\mysmbtstprn"

Change any printer setting once (like changing portrait to landscape), click on Apply, and change the 
setting back.

12. Install the printer on a client (Point'n'Print).

C:\> rundll32 printui.dll,PrintUIEntry /in /n "\\sambaserver\mysmbtstprn"

If it does not work, it could be a permissions problem with the [print$] share."


"Samba and UNIX obviously do not have such a Registry"
- as elsewhere, lower case 'registry'

"Nowadays, most Linux distributions rely on the utilities from the Linuxprinting.org to create their 
printing-related software"

"The utilities from this sire have a very end-user-friendly interface"

"while the new-style PPDs are now call foomatic-rip"

"Save foomatic-rip either directly in /usr/lib/cups/filter/foomatic-rip or somewhere in your $PATH" - 
shouldn't you also say peope with distros will want to use their distro's method

"From CUPS 1.1.16 and later releases, you can use the CUPS PostScript driver for Windows NT/200x/XP 
clients (which is tagged in the download area of http://www.cups.org/ as the cups-samba-1.1.16.tar.gz 
package)"

"This is the best system currently available, and there are huge improvements under development for 
CUPS 1.2:"
- so it would be good to brand this document as correct as per a specific version of CUPS

"Shut all Explorer Windows."
- windows

Manually Installing the PostScript Driver on a Client

"install the CUPS printer PPD on top of the Adobe PostScript driver on clients. 
Then point the client's printer queue to the Samba printer share for a UNC type of connection:

C:\> net use lpt1: \\sambaserver\printershare /user:ntadmin

should you desire to use the CUPS networked PostScript RIP functions. (Note that user "ntadmin" needs to 
be a valid Samba user with the required privileges to access the printershare.) This sets up the printer 
connection in the traditional LanMan way (not using MS-RPC)."

Administrator Cannot Install Printers for All Local Users

"Windows XP handles SMB printers on a "per-user" basis. This means every user needs to install the printer 
himself or herself. To have a printer available for everybody, you might want to use the built-in IPP 
client capabilities of Win XP. Add a printer with the print path of 
http://cupsserver:631/printers/printername. We're still looking into this one. Maybe a logon script could 
automatically install printers for all users."

Windows XP SP1 Changes

"Win XP-SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to 
"Administrator" or "Power User" groups of users). In Group Policy Object Editor, go to User 
Configuration -> Administrative Templates -> Control Panel -> Printers. The policy is automatically 
set to Enabled and the Users can only Point and Print to machines in their Forest 
(http://en.wikipedia.org/wiki/Active_Directory#Forests.2C_trees.2C_and_domains). You probably need 
to change it to Disabled or Users can only Point and Print to these servers to make driver downloads 
from Samba possible."

To Do - Power Users

Well-Known Entity RID SID Our Unix Group Type domain/local/builtin Purpose Essential for Samba?
Builtin Power Users 547 S-1-5-32-547 n/a Alias builtin can create local users and groups; modify and delete accounts that they have created; remove users from the Power Users/Users/Guests groups; install programs; create, manage, and delete local printers; create and delete file shares. No
When a Windows NT4/2000/XP client joins a domain, the domain global Domain Admins group is added to the 
membership of the local Administrators group on the client. Any user who is a member of the domain global 
Domain Admins group will have administrative rights on the Windows client.
This is often not the most desirable solution because it means that the user will have administrative 
rights and privileges on domain servers also. The Power Users group on Windows client workstations permits 
local administration of the workstation alone. The Power Users group is a group that is local to each 
Windows 2000/2003/XP Professional workstation. 
Any domain global user or domain global group (i.e. Domain Users) can be added to the membership of the 
local workstation group Power Users.

Because the Power Users group exists on the Windows workstation, you don't add people to it in the
way we assign rights, groups and relative identifiers. It must be done in one of the following ways:

- 1. using the GUI on each Windows workstation
(to add everyone in the Domain Users group to the local Power Users group):
   Start -> Control Panel -> Users and Passwords -> Advanced -> Advanced -> Groups
   Double-click Power Users - this will launch the panel to add users or groups to the local machine 
   Power Users group.
   Add -> Select the domain from which the Domain Users group is to be added -> Double-click the Domain 
   Users group -> OK.
   (If a logon box is presented during this process, remember to enter the connect as 
   <domain>\<user>)


- 2. using the command-line on the Windows workstation:
net localgroup S-1-5-32-547 /add <domain>\<domain user or domain group account name>


- 3. scripted, when a user logs onto the domain from a Windows workstation, you can run:
/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" -U Administrator%password -S $2