After playing with it for awhile, I have realized that Apple has made some significant changes in their Samba integration with Jaguar, mostly for the better.

* The standard procedure for adding PDC functionality still works. That’s all covered elsewhere (see https://www.afp548.com./Articles/system/sambapdc.html), so I won’t repeat it here.

* No longer will Server Settings overwrite your customizations in /etc/smb.conf, so you don’t have to do the “sudo chflags uchg /etc/smb.conf” bit (though there’s a catch to this: once you’ve made your manual changes, you should reboot the server before running the Windows config in Server Settings, as it seems to cache the startup settings somewhere, and it *will* overwrite your customizations until you restart–at least, that’s what it does to me!).

* A separate standalone install of Samba (in /usr/local/samba, typically) does not seem to work properly, as it used to in 10.1.x. There are issues with network browsing etc. that seem to stem from the different user authentication scheme in Jaguar.

* Workgroup Manager still will not allow you to add a user with a trailing “$”. When adding a Windows host to the domain, you still must use the root username & password to authenticate.

* Machine accounts do not have to use Password Server, but any user accounts that need to logon from Windows must use Password Server authentication.

Here is the business end of my smb.conf file, for what it’s worth:

[global]
        local master = YES
        domain master = YES
        preferred master = YES
        domain logons = YES
        os level = 64
        security = USER
        admin users = admin, joe
        logon drive = U:
        logon home = \\%N\Users\%u
        logon path = \\%N\profiles\%u
        domain admin group = admin @wheel
        guest account = unknown
        max smbd processes = 0
        encrypt passwords = YES
        print command = /usr/sbin/PrintServiceAccess printps %p  %s
        lpq command = /usr/sbin/PrintServiceAccess jobs %p
        lprm command = /usr/sbin/PrintServiceAccess remove %p  %j
        lppause command = /usr/sbin/PrintServiceAccess hold %p  %j
        lpresume command = /usr/sbin/PrintServiceAccess release %p  %j
        printer admin = unknown, @staff
        server string = Mac OS X Server (Samba %v)
        client code page = 437
        coding system = utf8
        log file = /Library/Logs/WindowsServices/WindowsFileService.log
        netbios name = JAGUAR
        workgroup = NT-DOMAIN-NAME
        wins support = NO
        log level = 2
[netlogon]
        path = /Shared Items/PDC/netlogon
        writeable = NO
        write list = ntadmin
        comment = Windows netlogon
[homes]
        path = /Users/%u
        read only = NO
        create mask = 0600
        directory mask = 0700
        comment = Windows user homes
[profiles]
        path = /Shared Items/PDC/profiles
        writeable = YES
        create mask = 0600
        directory mask = 0700
        comment = Windows user profiles
[Users]
        path = /Users
        public = NO
        create mask = 0644
        directory mask = 0755
        read only = NO
        comment = macosx