Update suggestion for Samba NT Domain FAQ

Sun Feb 21 03:52:03 GMT 1999

Howdy Jerry and everyone else,

I have now gotten Samba going as a PDC for some NT Workstation
SP4 - thank you!

I've found many of the emails of the last few days very helpful
in filling the gaps "FAQ for Samba NTDOM PDC support" hasn't yet
caught up on (especially for people like me who are NT/Domain/PDC
ignorant).

Here is my attempt at an update for the FAQ to help fill the gaps
so other folks have an easier time.

If you choose to use any part of this material, please double check
what I've added to your wonderful FAQ - I'm still on the steep,
slippery part of the learning curve!

	Thank you again,
	Bill

FAQ for Samba NTDOM PDC support

2.2. How do I get my NT Workstation / Server to login to the Samba 
controlled Domain?

o Obtain the latest main branch samba code (see question 2.1)

o Set up samba with encrypted passwords: see ENCRYPTION.txt (probably
  out of date: you no longer need the DES libraries, but other than
  that, ENCRYPTION.txt is current).

  At this point, you ought to test that your samba server is
  accessible correctly with encrypted passwords, before progressing
  with any of the NT workstation-specific bits: it's up to you.

o To create the machine account on the Samba PDC, first create an
  account in /etc/passwd (or equivalent in the case of NIS / NIS+)
  for the username <my_workstation's_name$> for each system in the
  domain including the Samba PDC.

  Currently the uid is all that will be used and this is to ensure
  that the samba generated machine RID for the worstation account will
  be unique.  Therefore you should not reuse unix uid's in
  /etc/passwd.  The shell or home directory fields in /etc/passwd are
  not used for now and can be set to /bin/False and /dev/null
  respectively.

  On my Samba PDC (server.example.com) the /etc/passwd entries look
  like this:

   server$:Dummy:800:800:Samba Server:/dev/null:/bin/false
   ws1$:Dummy:801:800:NT Workstation 1:/dev/null:/bin/false
   ws2$:Dummy:802:800:NT Workstation 2:/dev/null:/bin/false

  All of these systems must be in a unique Unix group which will be
  mapped to the NT Domain Group "Domain Users" so the entry in my
  /etc/group (or equivalent in the case of NIS/NIS+) is:

   domainUsers:x:800:server$,ws1$,ws2$

  This is the line in my smb.conf to create the domain user map file:

   domain user map = /usr/local/samba/etc/domain.user.map

  The line in domain.user.map is:

   domainUsers "Domain Users"

  The double quotes are needed or else the line is misparsed.

  Then run the following commands:

   # smbpasswd -a -m server
   # smbpasswd -a -m ws1
   # smbpasswd -a -m ws2

  This will create an entry in the private/smbpasswd file in the form
  of

   my_workstation's_name$:uid:LM_XXX:NT_XXX:[W]:LTC-XXXX:

  The LM_XXX and NT_XXX fields are the ascii representations of the 16
  byte LanMan and NT MD4 hashes respectively of the password
  "my_workstation's_name".

  If you reload Windows NT on a system then you will need to
  regenerate the entry in smbpasswd.

  At the moment the 2.1-pre-alpha source tree version of smbpasswd is
  broken for Redhat 5.2 but the version in the 2.0.2 release works.

o If you want to have a domain wide policy settings then use the NT
  Policy Editor (see question 5.1 to see how to get it) to create
  ntconfig.pol and then place it in the root of the [netlogon] share.

o If you want the NT profiles stored on the server then make sure the
  systems are in time sync.  This can be done by setting the in the
  logon script by including the line "NET \\server /TIME /SET" and by
  granting all users the right to set the system time.  Probably a
  better way is to have an NTP broadcast on your network (maybe from
  the Samba PDC) and run clients on the NT workstations.  If you don't
  do this then it is possible for profile updates to fail under some
  circumstatnces.

  In the Samba 2.0.0 and 2.0.2 releases the RedHat sample smb.conf
  file need this line added to [Profiles] share:

   writeable = true

o If using NT server to log in, run the User Manager for Domains, and
  add the capability to "Log in Locally" to the policies, which you
  would have to do even if you were logging in to another NT PDC
  instead of a Samba PDC.

o Set up the following parameters in smb.conf

   ; substitute your workgroup here
   workgroup = SAMBA

   ; tells workstations to use SAMBA as its Primary Domain Controller.
   domain logons = yes

o Starting smbd will create a file name private/SAMBA.SID with
  permissions rw-r--r--. The file contains the domain SID for the
  samba PDC. The filename will differ depending on the value of the
  workgroup parameter.  If the contents of this file change, no domain
  members will be able to logon and will need to be readded to the
  domain again.   Guard it carefully! 

o Make sure samba is running before the next step is carried out. if
  this is your first time, just for fun you might like to switch the
  debug log level to about 20. the NT pipes produces some very pretty
  output when decoding requests and generating responses, which would
  be particularly useful to see in tcpdump at some point.

o In the NT Network Settings, change the domain to SAMBA. Do not
  attempt to create an account using the other part of the dialog: it
  will fail at present.

  You should get a wonderful message saying "Welcome to the SAMBA
  Domain."

  If you don't, then please first increase your debug log levels and
  also get a tcpdump (or preferably NetMonitor) trace and examine it
  carefully.  You should see a NETLOGON, a SAMLOGON on UDP port
  138. If you don't, then you probably don't have "domain logons =
  yes" or there is some other problem in resolving the NetBIOS name
  SAMBA<1c> or in the /etc/passwd and/or smbpasswd entries for the NT
  client.

  On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
  (one for a domain SID of S-1-3... and another for S-1-5) and then an
  LSA_CLOSE or two.

  You may see a pipe connection to a wkssvc pipe, and you may also see
  a "Net Server Get Info" being issued on the srvsvc pipe.

  Assuming you got the Welcome message, go through the obligatory
  reboot (the NT box, not the Samba server).

...

2.6.  My Roaming Profiles are not updating!

o Make sure the Directory Replicator Service is running and setup on
  the NT Workstation:  Go to each workstation, Control Panel,
  Services, set Directory Replicator Service to Automatic and start it
  running.  Go to the Control Panel, Server, Replication, enable
  Import Directories, add the Samba PDC.

o Make sure your systems have the same time.

o Make sure the Profiles share is writable by the client (e.g., this
  should already be working in a non-domain login for the user).

o Look in log.smbd and if you see a line like:

   trust account ws1$ should be in DOMAIN_GROUP_RID_USERS

  then something is messed up with the Unix group membership, or the
  domain group map entry for "Domain Users".