SAMBA (Domain Controller) Server For Small Workgroups With Ubuntu 5.10 "Breezy Badger" - Page 5

Adding Users To Our SAMBA Domain

Now we will add a user, e.g. tom, to our Samba domain. You will have to add a user like this for each user account you want to connect to this SAMBA domain server.

1) Add a linux user tom:

useradd tom -m -G users

2) Add the linux user tom to the SAMBA password database:

smbpasswd -a tom

Adding Shares

Now I will add a share that is accessible by all users.

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

Now we restart Samba:

/etc/init.d/samba restart

Installing CUPS

If you want your SAMBA server to act as a print server also, you have to install and configure CUPS:

apt-get install cupsys cupsys-client cupsys-driver-gimpprint cupsys-driver-gimpprint-data defoma fontconfig foomatic-db foomatic-filters libcupsimage2 libexpat1 libfontconfig1 libfreetype6 libgimpprint1 libjpeg62 libpaper1 libpng12-0 libpoppler0c2 libslp1 libtiff4 patch perl perl-modules ttf-bitstream-vera ucf (1 line!)

To get access to the web interface from my workstation, I will change cups to listen on the Server IP.
Edit /etc/cups/cupsd.conf in the section Network Options:


Set AuthGroupName to shadow in the section Security Options:

AuthGroupName shadow

To allow access only from my admin workstation (IP:, I add Allow From the security options and set AuthClass to Group:

<Location /admin>
# You definitely will want to limit access to the administration functions.
# The default configuration requires a local connection from a user who
# is a member of the system group to do any admin tasks. You can change
# the group name using the SystemGroup directive.

AuthType Basic
AuthClass Group

## Restrict access to local domain
Order Deny,Allow
Deny From All
Allow From
Allow From

#Encryption Required

Add the cupsys user to the shadow group:

adduser cupsys shadow

and restart the cups daemon:

/etc/init.d/cupsys restart

The cups webinterface is now accessible with any webbrowser from my workstation:

Now I can login to the cups interface with username root and my root password.

Hint: If there is no linux driver available for your printer and you want to use this printer only from your windows workstations trough SAMBA, you can use the printer manufacturer RAW and install the correct driver on your windows workstation.

If you created a new printer in cups, you will have to add it to samba with the command:

cupsaddsmb -a

Have fun!


All trademarks belong to their respective owner.

Share this page:

23 Comment(s)

Add comment


From: Anonymous

I'd like to also say this is a great article -- easy to read and very straight forward in its language. I too look forward to the ldap piece. -NG

From: Anonymous

I really like this. Is there a method to do this using a gui interface?

From: Anonymous


From: Anonymous

This was a great help from a invaluable website. I am looking forward to the HowTo for a PDC and BDC using OpenLDAP and hope the author will find the time to post it soon. All sysadmins that learned something about the subject here owe the author a great deal of gratitude.

From: Anonymous

u can try webmin( . It has a module to configure samba.

From: Anonymous

Samba comes with a web config tool SWAT.

there are also lots of guis for samba here -

in case u also need a gui for other things apart from samba u might want to try webmin. (

From: Anonymous

This was a very great article! Thanks so much. I do hope that you decide to post another using LDAP though, as I have been wanting to get this working for some time but just can't find a good enough how-to - as all of the attempts I've made failed miserably.

I'm looking for something that allows both windows and linux clients to authenticate to a central authentication server.

I'm sure many would appreciate it.

Thanks again,


From: Anonymous

Really superb tutorial. I tried to find the relevant forum enttry but couldn't find it. How is it possilbe to do this via the GUI interface?

From: Anonymous

It took me a while but I got the LDAP peice working last year. No clean, easy, and still current howto covers everything with LDAP/Samba SSO so you will be working on this for a long time if you really want it. I created and recreated it many times, learning more about LDAP each time. I ended up following the Samba example howto *exactly* in order to have a working setup, then changing it to suit my situation. Some of the problems I encountered were old Samba and Slapd packages in the apt repositories, the inability to use a SASL backend, no digest passwords, etc. No idea if these were fixed after 3.0.14.

The addition of the LDAP piece gives me a single-sign-on solution for both windows and *nix boxes, but because of the SASL/Digest issue you need to use SSL certificates, which can present a whole 'nuther issue. Watch out adding users to the root group (using netgroup map in this tutorial) it may present a security issue in your configuration if you are not careful since Samba can communicate using the old NTLM protocols.

The beauty is that once you have LDAP auth working you can use PAM to extend it to auth almost anything: Apache, SSH, mail services, etc.


From: Anonymous

Very usefull.. I used it for a small network and it worked perfectly..

From: Anonymous

I had absolutely no problems setting up my domain controller as described here. This includes the main features of:

* Roaming profiles
* Central user management (set 'em up on the server and they can log in at any workstation, that is joined into the domain.

This is how joining is done - ) While I agree to use Ubuntu (and the under lying Debian OS. Since it is the last truely "free" distro)

I then tried the same method (using the same smb.conf) on an existing RedHat Fedora Core 4 Samba installation and after only minor tweaking (eg. re-entering user passwords into smbpasswd, because the above setup uses a different, more secure password db) I was able to get it working. Naturally one would also have to deal with any migration issues (mostly transfering files to the network) of existing users.

On a whole a very good experience getting something going, which I personally had attempted without success several times over the past years. ....And HowtoForge rocks ; - )...many great howtos. Thanks

From: Anonymous

What are the benifits of roaming profiles? Is this functionality standard, how to you get it working?

From: Anonymous


Add the "foomatic-filters-ppds" package to the cups installation line, it will install the foomatic ppds.

From: Anonymous


Let me say that this how-to is the best thing in a long time. I am installing a PDC at my school and everything is working execpt that when from a client Winxp client i press CRTL-ALT-DEL and try to change that user's password i enter the old one the new one twice and the press ok. The machine just hangs there waiting and waiting... and nothing. Is this happening to someone else??



From: Anonymous


Try to change the "passwd chat" line in smb.conf to this:

passwd chat = *password* %n\n *password* %n\n *success*


From: Anonymous

Thank you for an excellent walk-through for Ubuntu and Samba. I've been struggling with multiple linux distributions, trying to create a secure file server. Your tutorial saved me months of sleepless nights.

Thanks again,


From: Anonymous

thanx for the gr8 howto!

my only quibble is, if its "cut-and-paste," (in other words, as easy as it gets) shouldn't there be instructions on how to configure the 2nd machine?

it just seems like there are so many howtos that say configure this, do that, edit this file... but without reasons why to do those things. it was more difficult for me because i got up to the part about changing /etc/network/interfaces, and i didn't know how many of the values to change. a little trial and error and it worked.

gentoo has great docs, they have explicit instructions, but take a time out to explain why. thats why their docs have been easier to understand, in my experience, than things for debian.

From: Anonymous

I had set up a Samba PDC several months ago... I wish this was around then... It took me a week of evenings to finally get it working... And it really hasn't worked extremely reliably (ie I would get access denied at least once a day) until recently when I changed my PDC box from CentOS to Gentoo... No problems since then...

From: Anonymous

Hey great howto... Recomended it to alot of people so far! When is the LDAP part going to be done?! I REALLY NEED IT! :)

From: Anonymous

Great tutorial. There is one minor mistake that gave me some trouble.

Where it says:

The cups webinterface is now accessible with any webbrowser from my workstation:

It should be:

You may also need to "Allow From [server's IP]" under <Location /admin> in cupsd.conf.

In addition, I had to allow the same addresses under <Location /> for it to work properly.

From: Anonymous

I don't know if I was the only person that had these issues..

When trying to join the PC to the domain, I had to add it with the root login, then reboot, and login with the username I setup.

Apart from that though, a very nice tutorial and well done! Saved my ass :)

From: Anonymous

The tutorial is excellent.

A suggestion -- You might want to consider adding a note in the last section where smb users are added, a newbie, like me, might forget to add the user to the GROUP 'users' which ubuntu doesn't do automatically when you create new users. If you don't do this, you end up not being able to access the shared 'allusers' directory which at first is confusing.

From: jmm

Hi after following the tutorial this is what I get " a domain controller for the domain adnt could not be contacted " What should I do?