Update suggestion for Samba NT Domain FAQ

Pedro Miguel Frazao Fernandes Ferreira pfrazao at ualg.pt
Mon Feb 22 12:31:43 GMT 1999

Bill Nugent wrote:
> Howdy Jerry and everyone else,
> I have now gotten Samba going as a PDC for some NT Workstation
> SP4 - thank you!
> I've found many of the emails of the last few days very helpful
> in filling the gaps "FAQ for Samba NTDOM PDC support" hasn't yet
> caught up on (especially for people like me who are NT/Domain/PDC
> ignorant).
> Here is my attempt at an update for the FAQ to help fill the gaps
> so other folks have an easier time.
> If you choose to use any part of this material, please double check
> what I've added to your wonderful FAQ - I'm still on the steep,
> slippery part of the learning curve!
>         Thank you again,
>         Bill
> FAQ for Samba NTDOM PDC support
> 2.2. How do I get my NT Workstation / Server to login to the Samba
> controlled Domain?
> o Obtain the latest main branch samba code (see question 2.1)
> o Set up samba with encrypted passwords: see ENCRYPTION.txt (probably
>   out of date: you no longer need the DES libraries, but other than
>   that, ENCRYPTION.txt is current).
>   At this point, you ought to test that your samba server is
>   accessible correctly with encrypted passwords, before progressing
>   with any of the NT workstation-specific bits: it's up to you.
> o To create the machine account on the Samba PDC, first create an
>   account in /etc/passwd (or equivalent in the case of NIS / NIS+)
>   for the username <my_workstation's_name$> for each system in the
>   domain including the Samba PDC.
>   Currently the uid is all that will be used and this is to ensure
>   that the samba generated machine RID for the worstation account will
>   be unique.  Therefore you should not reuse unix uid's in
>   /etc/passwd.  The shell or home directory fields in /etc/passwd are
>   not used for now and can be set to /bin/False and /dev/null
>   respectively.
>   On my Samba PDC (server.example.com) the /etc/passwd entries look
>   like this:
>    server$:Dummy:800:800:Samba Server:/dev/null:/bin/false
>    ws1$:Dummy:801:800:NT Workstation 1:/dev/null:/bin/false
>    ws2$:Dummy:802:800:NT Workstation 2:/dev/null:/bin/false
>   All of these systems must be in a unique Unix group which will be
>   mapped to the NT Domain Group "Domain Users" so the entry in my
>   /etc/group (or equivalent in the case of NIS/NIS+) is:
>    domainUsers:x:800:server$,ws1$,ws2$
>   This is the line in my smb.conf to create the domain user map file:
>    domain user map = /usr/local/samba/etc/domain.user.map
>   The line in domain.user.map is:
>    domainUsers "Domain Users"
>   The double quotes are needed or else the line is misparsed.
>   Then run the following commands:
>    # smbpasswd -a -m server
>    # smbpasswd -a -m ws1
>    # smbpasswd -a -m ws2
>   This will create an entry in the private/smbpasswd file in the form
>   of
>    my_workstation's_name$:uid:LM_XXX:NT_XXX:[W]:LTC-XXXX:
>   The LM_XXX and NT_XXX fields are the ascii representations of the 16
>   byte LanMan and NT MD4 hashes respectively of the password
>   "my_workstation's_name".
>   If you reload Windows NT on a system then you will need to
>   regenerate the entry in smbpasswd.
>   At the moment the 2.1-pre-alpha source tree version of smbpasswd is
>   broken for Redhat 5.2 but the version in the 2.0.2 release works.
> o If you want to have a domain wide policy settings then use the NT
>   Policy Editor (see question 5.1 to see how to get it) to create
>   ntconfig.pol and then place it in the root of the [netlogon] share.
> o If you want the NT profiles stored on the server then make sure the
>   systems are in time sync.  This can be done by setting the in the
>   logon script by including the line "NET \\server /TIME /SET" and by
>   granting all users the right to set the system time.  Probably a
>   better way is to have an NTP broadcast on your network (maybe from
>   the Samba PDC) and run clients on the NT workstations.  If you don't
>   do this then it is possible for profile updates to fail under some
>   circumstatnces.
>   In the Samba 2.0.0 and 2.0.2 releases the RedHat sample smb.conf
>   file need this line added to [Profiles] share:
>    writeable = true
> o If using NT server to log in, run the User Manager for Domains, and
>   add the capability to "Log in Locally" to the policies, which you
>   would have to do even if you were logging in to another NT PDC
>   instead of a Samba PDC.
> o Set up the following parameters in smb.conf
>    ; substitute your workgroup here
>    workgroup = SAMBA
>    ; tells workstations to use SAMBA as its Primary Domain Controller.
>    domain logons = yes
> o Starting smbd will create a file name private/SAMBA.SID with
>   permissions rw-r--r--. The file contains the domain SID for the
>   samba PDC. The filename will differ depending on the value of the
>   workgroup parameter.  If the contents of this file change, no domain
>   members will be able to logon and will need to be readded to the
>   domain again.   Guard it carefully!
> o Make sure samba is running before the next step is carried out. if
>   this is your first time, just for fun you might like to switch the
>   debug log level to about 20. the NT pipes produces some very pretty
>   output when decoding requests and generating responses, which would
>   be particularly useful to see in tcpdump at some point.
> o In the NT Network Settings, change the domain to SAMBA. Do not
>   attempt to create an account using the other part of the dialog: it
>   will fail at present.
>   You should get a wonderful message saying "Welcome to the SAMBA
>   Domain."
>   If you don't, then please first increase your debug log levels and
>   also get a tcpdump (or preferably NetMonitor) trace and examine it
>   carefully.  You should see a NETLOGON, a SAMLOGON on UDP port
>   138. If you don't, then you probably don't have "domain logons =
>   yes" or there is some other problem in resolving the NetBIOS name
>   SAMBA<1c> or in the /etc/passwd and/or smbpasswd entries for the NT
>   client.
>   On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
>   (one for a domain SID of S-1-3... and another for S-1-5) and then an
>   LSA_CLOSE or two.
>   You may see a pipe connection to a wkssvc pipe, and you may also see
>   a "Net Server Get Info" being issued on the srvsvc pipe.
>   Assuming you got the Welcome message, go through the obligatory
>   reboot (the NT box, not the Samba server).
> ..
> 2.6.  My Roaming Profiles are not updating!
> o Make sure the Directory Replicator Service is running and setup on
>   the NT Workstation:  Go to each workstation, Control Panel,
>   Services, set Directory Replicator Service to Automatic and start it
>   running.  Go to the Control Panel, Server, Replication, enable
>   Import Directories, add the Samba PDC.

	Wait. I think this is in order to use policies (.pol files with
registry settings which are loaded by W95, NT wkst, W98 machines).
policy files != roaming profiles. I believe the question to this should

	My domain member computers are not reading the policy file from the
server. (Or something like this).

> o Make sure your systems have the same time.
> o Make sure the Profiles share is writable by the client (e.g., this
>   should already be working in a non-domain login for the user).
> o Look in log.smbd and if you see a line like:
>    trust account ws1$ should be in DOMAIN_GROUP_RID_USERS
>   then something is messed up with the Unix group membership, or the
>   domain group map entry for "Domain Users".

    Pedro Miguel Frazao Fernandes Ferreira, Universidade do Algarve
          U.C.E.H., Campus de Gambelas, 8000 - Faro, Portugal
pfrazao at ualg.pt     Tel.:+351 89 800950 / 872959     Fax: +351 89 818560

More information about the samba-ntdom mailing list