NT Domian Support for SAMBA

Wed Jun 3 20:37:37 GMT 1998

Simon,

I'm CC'ing this to the samba-ntdom mailing list in case someone else
would like to respond to you as well.

Simon Hendry wrote:
> 
> Hi ..

Hello :)

> Q1 ). We are looking at placing a NT box next to some of our Unix
> machines in some of our area offices ( 1 Sparc , 1 NT box environment
> ). If we do this and setup SAMBA as a PDC and setup the NT Box as a
> member of a domain , then if a Windows 95 machine attempts a 
> connection such as \\NTBOX\cdrive , will the NT Machine redirect the 
> passwd lookup to the SAMBA machine and use smbpasswd and NOT the SAM 
> database to authenticate the user...

>From another NT box this works fine ( validates the DOMAIN account ).  I
was unable to get it to work from Win95 -> WinNT or from WfWg -> WinNT.  

However, after looking at the Netmon sniff of the packets, the "Windows
for Workgroups 3.1a" dialect is selected which is correct.  Anyone got a
response to this one?

> Q2 ) We want the NT machine in each office to authenticate 
> against the local SAMBA box , not one across a wide area 
> network link... Will there be a problem with having multiple 
> samba boxes running as PDC for a single domain given that each 
> box will be on a distinctly different network across a routed 
> link from one another ? 

Hmmm...This is tricky.  Assuming that NetBIOS name resolution is done
locally on each subnet ( ie. don't use WINS ) so that no PDC is aware 
of another,  this might work.  Not sure I would recommend it though.

Really you are wanting to setup several domains that just happen to have
the same name ( and possibily domain sid ).  The are in essence isolated
from each other due to the block ports ( see coments below on blocking
traffic at the router ).

IMHO a better solution would be to setup an individual domain for each
local subnet and the use scp ( or rsync...not via NFS obviously ) to
distribute the smbpasswd file to the servers and thus maintain a central
list of accounts.  Does that make any sense?

> Will we have to block certain traffic on our routers so that the NT 
> box doesn't detect a PDC somewhere else ? 

If you do not need run SMB / NBT traffic across the routers, the just
block port 135, 137, 138 and 139.

> Are there settings in smb.conf on the SAMBA machine that will 
> stop the NT box becoming aware of the master browse list for 
> the entire network ? 

Haven't tried this.  If you blocks the ports listed above, then this is
no biggie.  The samba servers ( and NT boxes ) should be isolated.  If
you do not block the ports and do not use WINS, then 

	domain master = yes
	local master = yes
	perferred master = yes
	os level = 64

should do it.  This is assuming only **one** PDC on a subnet.

> Is there a problem from a SAMBA point of view having multiple 
> PDCs ? 

NT in general defines a domain to have only one PDC ( hence the name
Primary Domain Controller ) and the several BDC's depending on need.  It
is possibile to get similar behavior to a BDC in samba by manually
merging changes from the smbpasswd files (gotta love unix flat files). 
This could be real tricky since you don't want to change the local
entries for the machine trust accounts.

> Is it possible to get the same functionality from the SAMBA boxes 
> if we make them only BDCs and therefore avoid the multiple PDCs 
> issue ???

This would be the ideal solution but unfortunately, the NTDOM code does
not currently support acting as a BDC.  See above comments...

I fell like I have made this about as clear as mud.  Anyone else care to
join in?

Thanks,
j-
________________________________________________________________________
                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at eng.auburn.edu             http://www.eng.auburn.edu/users/cartegw

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )