Update suggestion for Samba NT Domain FAQ
Pedro Miguel Frazao Fernandes Ferreira
pfrazao at ualg.pt
Mon Feb 22 12:31:43 GMT 1999
Bill Nugent wrote:
>
> Howdy Jerry and everyone else,
>
> I have now gotten Samba going as a PDC for some NT Workstation
> SP4 - thank you!
>
> I've found many of the emails of the last few days very helpful
> in filling the gaps "FAQ for Samba NTDOM PDC support" hasn't yet
> caught up on (especially for people like me who are NT/Domain/PDC
> ignorant).
>
> Here is my attempt at an update for the FAQ to help fill the gaps
> so other folks have an easier time.
>
> If you choose to use any part of this material, please double check
> what I've added to your wonderful FAQ - I'm still on the steep,
> slippery part of the learning curve!
>
> Thank you again,
> Bill
>
> FAQ for Samba NTDOM PDC support
>
> 2.2. How do I get my NT Workstation / Server to login to the Samba
> controlled Domain?
>
> o Obtain the latest main branch samba code (see question 2.1)
>
> o Set up samba with encrypted passwords: see ENCRYPTION.txt (probably
> out of date: you no longer need the DES libraries, but other than
> that, ENCRYPTION.txt is current).
>
> At this point, you ought to test that your samba server is
> accessible correctly with encrypted passwords, before progressing
> with any of the NT workstation-specific bits: it's up to you.
>
> o To create the machine account on the Samba PDC, first create an
> account in /etc/passwd (or equivalent in the case of NIS / NIS+)
> for the username <my_workstation's_name$> for each system in the
> domain including the Samba PDC.
>
> Currently the uid is all that will be used and this is to ensure
> that the samba generated machine RID for the worstation account will
> be unique. Therefore you should not reuse unix uid's in
> /etc/passwd. The shell or home directory fields in /etc/passwd are
> not used for now and can be set to /bin/False and /dev/null
> respectively.
>
> On my Samba PDC (server.example.com) the /etc/passwd entries look
> like this:
>
> server$:Dummy:800:800:Samba Server:/dev/null:/bin/false
> ws1$:Dummy:801:800:NT Workstation 1:/dev/null:/bin/false
> ws2$:Dummy:802:800:NT Workstation 2:/dev/null:/bin/false
>
> All of these systems must be in a unique Unix group which will be
> mapped to the NT Domain Group "Domain Users" so the entry in my
> /etc/group (or equivalent in the case of NIS/NIS+) is:
>
> domainUsers:x:800:server$,ws1$,ws2$
>
> This is the line in my smb.conf to create the domain user map file:
>
> domain user map = /usr/local/samba/etc/domain.user.map
>
> The line in domain.user.map is:
>
> domainUsers "Domain Users"
>
> The double quotes are needed or else the line is misparsed.
>
> Then run the following commands:
>
> # smbpasswd -a -m server
> # smbpasswd -a -m ws1
> # smbpasswd -a -m ws2
>
> This will create an entry in the private/smbpasswd file in the form
> of
>
> my_workstation's_name$:uid:LM_XXX:NT_XXX:[W]:LTC-XXXX:
>
> The LM_XXX and NT_XXX fields are the ascii representations of the 16
> byte LanMan and NT MD4 hashes respectively of the password
> "my_workstation's_name".
>
> If you reload Windows NT on a system then you will need to
> regenerate the entry in smbpasswd.
>
> At the moment the 2.1-pre-alpha source tree version of smbpasswd is
> broken for Redhat 5.2 but the version in the 2.0.2 release works.
>
> o If you want to have a domain wide policy settings then use the NT
> Policy Editor (see question 5.1 to see how to get it) to create
> ntconfig.pol and then place it in the root of the [netlogon] share.
>
> o If you want the NT profiles stored on the server then make sure the
> systems are in time sync. This can be done by setting the in the
> logon script by including the line "NET \\server /TIME /SET" and by
> granting all users the right to set the system time. Probably a
> better way is to have an NTP broadcast on your network (maybe from
> the Samba PDC) and run clients on the NT workstations. If you don't
> do this then it is possible for profile updates to fail under some
> circumstatnces.
>
> In the Samba 2.0.0 and 2.0.2 releases the RedHat sample smb.conf
> file need this line added to [Profiles] share:
>
> writeable = true
>
> o If using NT server to log in, run the User Manager for Domains, and
> add the capability to "Log in Locally" to the policies, which you
> would have to do even if you were logging in to another NT PDC
> instead of a Samba PDC.
>
> o Set up the following parameters in smb.conf
>
> ; substitute your workgroup here
> workgroup = SAMBA
>
> ; tells workstations to use SAMBA as its Primary Domain Controller.
> domain logons = yes
>
> o Starting smbd will create a file name private/SAMBA.SID with
> permissions rw-r--r--. The file contains the domain SID for the
> samba PDC. The filename will differ depending on the value of the
> workgroup parameter. If the contents of this file change, no domain
> members will be able to logon and will need to be readded to the
> domain again. Guard it carefully!
>
> o Make sure samba is running before the next step is carried out. if
> this is your first time, just for fun you might like to switch the
> debug log level to about 20. the NT pipes produces some very pretty
> output when decoding requests and generating responses, which would
> be particularly useful to see in tcpdump at some point.
>
> o In the NT Network Settings, change the domain to SAMBA. Do not
> attempt to create an account using the other part of the dialog: it
> will fail at present.
>
> You should get a wonderful message saying "Welcome to the SAMBA
> Domain."
>
> If you don't, then please first increase your debug log levels and
> also get a tcpdump (or preferably NetMonitor) trace and examine it
> carefully. You should see a NETLOGON, a SAMLOGON on UDP port
> 138. If you don't, then you probably don't have "domain logons =
> yes" or there is some other problem in resolving the NetBIOS name
> SAMBA<1c> or in the /etc/passwd and/or smbpasswd entries for the NT
> client.
>
> On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
> (one for a domain SID of S-1-3... and another for S-1-5) and then an
> LSA_CLOSE or two.
>
> You may see a pipe connection to a wkssvc pipe, and you may also see
> a "Net Server Get Info" being issued on the srvsvc pipe.
>
> Assuming you got the Welcome message, go through the obligatory
> reboot (the NT box, not the Samba server).
>
> ..
>
> 2.6. My Roaming Profiles are not updating!
>
> o Make sure the Directory Replicator Service is running and setup on
> the NT Workstation: Go to each workstation, Control Panel,
> Services, set Directory Replicator Service to Automatic and start it
> running. Go to the Control Panel, Server, Replication, enable
> Import Directories, add the Samba PDC.
Wait. I think this is in order to use policies (.pol files with
registry settings which are loaded by W95, NT wkst, W98 machines).
policy files != roaming profiles. I believe the question to this should
be:
My domain member computers are not reading the policy file from the
server. (Or something like this).
>
> o Make sure your systems have the same time.
>
> o Make sure the Profiles share is writable by the client (e.g., this
> should already be working in a non-domain login for the user).
>
> o Look in log.smbd and if you see a line like:
>
> trust account ws1$ should be in DOMAIN_GROUP_RID_USERS
>
> then something is messed up with the Unix group membership, or the
> domain group map entry for "Domain Users".
--
------------------------------------------------------------------------
Pedro Miguel Frazao Fernandes Ferreira, Universidade do Algarve
U.C.E.H., Campus de Gambelas, 8000 - Faro, Portugal
pfrazao at ualg.pt Tel.:+351 89 800950 / 872959 Fax: +351 89 818560
http://w3.ualg.pt/~pfrazao
More information about the samba-ntdom
mailing list