Hi All, I've been reading *lots* of pages and guides everywhere about setting up samba as a PDC, mainly the 8 part guide by John Terpstra. One common thing I found in all the guides I read were unstated dependancies on the Samba version. Tried it using 3.0.9 and it didn't have any rights (I found something somewhere saying this eventually). Then tried it using Debians default of 3.0.24, and no default groups, so Johns guide wasn't 100%. Also the user/group scripts in smb.conf seem to be distro specific. This last one caused me hours of headaches, the errors returned gave absolutely no indication of what the problem was. Eventually I decided to have a look at the log files which gave me a Eureka moment and I found out that Debians usermod has different parameters. (it also doesn't appear to be able to remove a group assignment from a user?) Anyway, after umpteen tries I compiled this concise cheat sheet (more for me than anyone else), can people have a look at it and point out any glaring errors please? start afresh...:- --------------- cleanup ------- stop samba /etc/init.d/samba stop delete all *.tdb files rm /var/lib/samba/*.tdb delete all samba log files rm /var/lib/samba/*.tdb remove windows groups using groupdel remove PCD machine user using userdel 1. edit /etc/samba/smbusers 1a. add root = Administrator 2. start samba 3. use pdbedit -a to add user 'root' and assign a password to it from samba 3.0.23 there are NO default Windows Domain Groups, we must create them now. 4. Add default Windows Domain Groups as unix groups:- (group IDs nicked from online examples) groupadd -g 512 "Domain Admins" groupadd -g 513 "Domain Users" groupadd -g 514 "Domain Guests" groupadd -g 515 "Domain Computers" groupadd -g 544 "Administrators" groupadd -g 550 "Print Operators" groupadd -g 551 "Backup Operators" groupadd -g 552 "Replicators" 4a. Add groups into Samba mapping them to unix groups net groupmap add rid=512 unixgroup="Domain Admins" net groupmap add rid=513 unixgroup="Domain Users" net groupmap add rid=514 unixgroup="Domain Guests" net groupmap add rid=515 unixgroup="Domain Computers" 4b. Add local Windows groups (dunno if this is right, they get added as domain groups?) net groupmap add rid=544 unixgroup="Administrators" net groupmap add rid=550 unixgroup="Print Operators" net groupmap add rid=551 unixgroup="Backup Operators" net groupmap add rid=552 unixgroup="Replicators" 5. Add user root to the Domain Admin group net rpc group addmem "Domain Admins" root 6. Give the "Domain Admins" group suitable administery rights... net rpc rights grant "Domain Admins" \ SeMachineAccountPrivilege \ SeTakeOwnershipPrivilege \ SeBackupPrivilege \ SeRestorePrivilege \ SeRemoteShutdownPrivilege \ SePrintOperatorPrivilege \ SeAddUsersPrivilege \ SeDiskOperatorPrivilege (do similar for the other groups) 6. Add an account for the PDC machine net rpc join For the initial setup, thats it! The PCD is live and the domain administrator user has been created. To:- Add Users --------- net rpc user add <username> Assign a password to a user --------------------------- net rpc user password <username> Delete Users ------------ net rpc user del <username> Assign a user to a group ------------------------ net rpc group addmem <groupname> <username> Remove a user from a group -------------------------- net rpc group delmem <groupname> <username> (NOTE : doesn't work, the usermod command cannot delete a group from a user) Assign user rights ------------------ (used to override the group rights assigned earlier) net rpc rights grant <username> <rightname> Remove user rights ------------------ (used to override the group rights assigned earlier) net rpc rights revoke <username> <rightname> View rights assigned -------------------- net rpc rights list accounts Cheers, Richard