Update suggestion for Samba NT Domain FAQ
whn at topelo.lopi.com
Sun Feb 21 03:52:03 GMT 1999
Howdy Jerry and everyone else,
I have now gotten Samba going as a PDC for some NT Workstation
SP4 - thank you!
I've found many of the emails of the last few days very helpful
in filling the gaps "FAQ for Samba NTDOM PDC support" hasn't yet
caught up on (especially for people like me who are NT/Domain/PDC
Here is my attempt at an update for the FAQ to help fill the gaps
so other folks have an easier time.
If you choose to use any part of this material, please double check
what I've added to your wonderful FAQ - I'm still on the steep,
slippery part of the learning curve!
Thank you again,
FAQ for Samba NTDOM PDC support
2.2. How do I get my NT Workstation / Server to login to the Samba
o Obtain the latest main branch samba code (see question 2.1)
o Set up samba with encrypted passwords: see ENCRYPTION.txt (probably
out of date: you no longer need the DES libraries, but other than
that, ENCRYPTION.txt is current).
At this point, you ought to test that your samba server is
accessible correctly with encrypted passwords, before progressing
with any of the NT workstation-specific bits: it's up to you.
o To create the machine account on the Samba PDC, first create an
account in /etc/passwd (or equivalent in the case of NIS / NIS+)
for the username <my_workstation's_name$> for each system in the
domain including the Samba PDC.
Currently the uid is all that will be used and this is to ensure
that the samba generated machine RID for the worstation account will
be unique. Therefore you should not reuse unix uid's in
/etc/passwd. The shell or home directory fields in /etc/passwd are
not used for now and can be set to /bin/False and /dev/null
On my Samba PDC (server.example.com) the /etc/passwd entries look
ws1$:Dummy:801:800:NT Workstation 1:/dev/null:/bin/false
ws2$:Dummy:802:800:NT Workstation 2:/dev/null:/bin/false
All of these systems must be in a unique Unix group which will be
mapped to the NT Domain Group "Domain Users" so the entry in my
/etc/group (or equivalent in the case of NIS/NIS+) is:
This is the line in my smb.conf to create the domain user map file:
domain user map = /usr/local/samba/etc/domain.user.map
The line in domain.user.map is:
domainUsers "Domain Users"
The double quotes are needed or else the line is misparsed.
Then run the following commands:
# smbpasswd -a -m server
# smbpasswd -a -m ws1
# smbpasswd -a -m ws2
This will create an entry in the private/smbpasswd file in the form
The LM_XXX and NT_XXX fields are the ascii representations of the 16
byte LanMan and NT MD4 hashes respectively of the password
If you reload Windows NT on a system then you will need to
regenerate the entry in smbpasswd.
At the moment the 2.1-pre-alpha source tree version of smbpasswd is
broken for Redhat 5.2 but the version in the 2.0.2 release works.
o If you want to have a domain wide policy settings then use the NT
Policy Editor (see question 5.1 to see how to get it) to create
ntconfig.pol and then place it in the root of the [netlogon] share.
o If you want the NT profiles stored on the server then make sure the
systems are in time sync. This can be done by setting the in the
logon script by including the line "NET \\server /TIME /SET" and by
granting all users the right to set the system time. Probably a
better way is to have an NTP broadcast on your network (maybe from
the Samba PDC) and run clients on the NT workstations. If you don't
do this then it is possible for profile updates to fail under some
In the Samba 2.0.0 and 2.0.2 releases the RedHat sample smb.conf
file need this line added to [Profiles] share:
writeable = true
o If using NT server to log in, run the User Manager for Domains, and
add the capability to "Log in Locally" to the policies, which you
would have to do even if you were logging in to another NT PDC
instead of a Samba PDC.
o Set up the following parameters in smb.conf
; substitute your workgroup here
workgroup = SAMBA
; tells workstations to use SAMBA as its Primary Domain Controller.
domain logons = yes
o Starting smbd will create a file name private/SAMBA.SID with
permissions rw-r--r--. The file contains the domain SID for the
samba PDC. The filename will differ depending on the value of the
workgroup parameter. If the contents of this file change, no domain
members will be able to logon and will need to be readded to the
domain again. Guard it carefully!
o Make sure samba is running before the next step is carried out. if
this is your first time, just for fun you might like to switch the
debug log level to about 20. the NT pipes produces some very pretty
output when decoding requests and generating responses, which would
be particularly useful to see in tcpdump at some point.
o In the NT Network Settings, change the domain to SAMBA. Do not
attempt to create an account using the other part of the dialog: it
will fail at present.
You should get a wonderful message saying "Welcome to the SAMBA
If you don't, then please first increase your debug log levels and
also get a tcpdump (or preferably NetMonitor) trace and examine it
carefully. You should see a NETLOGON, a SAMLOGON on UDP port
138. If you don't, then you probably don't have "domain logons =
yes" or there is some other problem in resolving the NetBIOS name
SAMBA<1c> or in the /etc/passwd and/or smbpasswd entries for the NT
On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
(one for a domain SID of S-1-3... and another for S-1-5) and then an
LSA_CLOSE or two.
You may see a pipe connection to a wkssvc pipe, and you may also see
a "Net Server Get Info" being issued on the srvsvc pipe.
Assuming you got the Welcome message, go through the obligatory
reboot (the NT box, not the Samba server).
2.6. My Roaming Profiles are not updating!
o Make sure the Directory Replicator Service is running and setup on
the NT Workstation: Go to each workstation, Control Panel,
Services, set Directory Replicator Service to Automatic and start it
running. Go to the Control Panel, Server, Replication, enable
Import Directories, add the Samba PDC.
o Make sure your systems have the same time.
o Make sure the Profiles share is writable by the client (e.g., this
should already be working in a non-domain login for the user).
o Look in log.smbd and if you see a line like:
trust account ws1$ should be in DOMAIN_GROUP_RID_USERS
then something is messed up with the Unix group membership, or the
domain group map entry for "Domain Users".
More information about the samba-ntdom