User logins can only be performed on Microsoft Windows systems joined in the Samba domain. Domain joins are documented in the chapter Domain services / LDAP directory of the UCS manual [ucs-handbuch].

The user passwords are saved in the UCS LDAP. Users are authenticated against the LDAP directory when logging into the domain with their username and password, and can then access all the shared resources of the domain without having to enter their username and password again. Computers with any kind of Windows operating systems are authenticated in the same way as in Windows NT domains, via the NTLMv2 protocol.

A file server provides files over the network and allows concentrating the storage of user data on a central server.

The file services integrated in UCS support the provision of shares using the CIFS protocol. Insofar as the underlying file system supports Access Control Lists (ACLs) (can be used with ext3, ext4 and XFS), the ACLs can also be used by Windows clients.

Samba supports the CIFS protocol and the successor SMB2 to provide file services. Using a client which supports SMB2 (as of Windows Vista, i.e., Windows 7/8 too) improves the performance and scalability.

The protocol can be configured using the Univention Configuration Registry variable samba/max/protocol. It must be set on all Samba servers and then all Samba server(s) restarted.

Samba offers the possibility of sharing printers set up under Linux as network printers for Windows clients. The management of the printer shares and the provision of the printer drivers is described in chapter Print services of the UCS manual [ucs-handbuch].

NetBIOS is a network protocol for host names and for network communication of Windows clients. It is primarily used for NT-compatible domains; the name resolution in Active Directory is based on DNS. Samba provides NetBIOS functions with the nmbd system service.

NetBIOS computer names can have a maximum of 13 characters. The NetBIOS name of a UCS system corresponds to the host name by default.

In a native Active Directory environment, there are no NetBIOS services provided as standard. In an AD environment based on Samba, however, it is activated. This can be deactivated with the Univention Configuration Registry variable samba4/service/nmb.

Similar to DNS in TCP/IP networks, the Windows Internet Name Service (WINS) is used for resolving NetBIOS names into IP addresses. In addition, WINS provides information on the services of the hosts.

WINS is used in NT-compatible Samba domains; in Samba AD domains, the name resolution generally occurs primarily via DNS (WINS is also available).

WINS support is activated on the master domain controller in the default setting and can also be operated on another server by setting the Univention Configuration Registry variable windows/wins-support. WINS can only be operated without adjustments on one Samba server in the domain; distribution across several servers requires the setup of WINS replication. Information on the commissioning of the WINS replication can be found in the Univention Support database at SDB 1107.

The WINS server can be assigned to Windows clients via a DHCP-NetBIOS policy, see chapter IP and network management of the UCS manual [ucs-handbuch].

The NETLOGON share serves the purpose of providing logon scripts in Windows domains. The logon scripts are executed following after the user login and allow the adaptation of the user's working environment. Scripts have to be saved in a format which can be executed by Windows, such as bat.

The directory /var/lib/samba/netlogon is set up as the Samba share NETLOGON.

In the default setting, all adjustments are made in the /var/lib/samba/netlogon/ directory on the master domain controller and synchronized hourly on all domain controllers with Samba installed via the rsync tool.

The Univention Configuration Registry variable samba/logonscript is available for defining a global logon script for all users. If this variable is set on a Samba server, then all users logging into this Samba server have the specified logon script assigned. The logon script can also be assigned user-specifically in the Univention Management Console.

As standard, the home directory of each user is shared by Samba and connected with the I: drive after login in Windows.

The Univention Configuration Registry variable samba/homedirserver can be used to specify the server on which the home directories should be stored; the Univention Configuration Registry variable samba/homedirpath can be used to specify the directory. These values will then be valid for all the users.

It it also possible to make individual assignment in the user settings in the Univention Management Console with the setting Windows home path, e.g., \\ucs-file-server\smith.

If instead of the user's UNIX home directory, a different UNIX directory is to be displayed as the home directory on the Windows drive, then this server and the home directory need to be entered in the Windows home path entry field.

Samba supports roaming profiles, i.e., user settings are saved on a central server. This directory is also used for storing the files which the user saves in the My Documents folder. Initially, these files are stored locally on the Windows computer and then synchronized onto the Samba server when the user logs off.

If the profile path is changed in the Univention Management Console, then a new profile directory will be created. The data in the old profile directory will be kept. These data can be manually copied or moved to the new profile directory. Finally, the old profile directory can be deleted.

The user profiles are saved in the windows-profiles\<Windows-Version> subdirectory on the Samba server that the user logged on to.

Univention Configuration Registry variable samba/profileserver can be used to specify another server and samba/profilepathto specify another directory. These settings must be set on all Samba domain controllers.

In the user management of the Univention Management Console, the input field Windows profile directory can be set to configure a different path or another server for the profile directory for the user.

Roaming profiles can be deactivated by configuring the Univention Configuration Registry variables samba/profilepath and samba/profileserver to local and restarting the Samba server. The UMC setting from the input field Windows profile directory must also be set empty.

A Domain Trust Account with a name reflecting the NetBIOS name of the Windows domain and a password issued for the account must be created in the computer management module of Univention Management Console The password quality requirements which may apply to Windows domains must be observed.

Trust settings can only be set up on domain controllers.

An outgoing trust relationship must be created on the Windows PDC.

The trust relationship between the Windows domain and the Samba domain can be removed by deleting the trust relationship on the Windows PDC and the domain trust account in the Univention Management Console.

The following steps are used to set up the trust setting on a slave domain controller as a root user:

The winbind package must be installed. Winbind maps UNIX IDs to Windows users and groups

An incoming trust relationship must be created on the Windows PDC.

If Univention Firewall is used, replies to NetBIOS broadcasts need to be allowed:

echo "iptables -I INPUT 1 -p udp --sport 137 -j ACCEPT" \
    >> /etc/security/packetfilter.d/50_local.sh
/etc/init.d/univention-firewall restart

The trust relationship is now initiated and Winbind restarted. This command must be run on all Samba login servers:

net rpc trustdom establish <Windows domain>
net setauthuser -UAdministrator (enter the Windows Administrator password)
ucr set samba/winbind/rpc/only=yes
/etc/init.d/winbind restart
ucr set auth/methods="krb5 ldap unix winbind"
/etc/init.d/nscd restart

The following command can be used to check that the trust relationship has been added correctly:

net rpc trustdom list