Update suggestion for Samba NT Domain FAQ
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Mon Feb 22 15:35:53 GMT 1999
bill, thankx. comments below.
> o To create the machine account on the Samba PDC, first create an
workstation trust account. there is no such thing as a machine account.
> All of these systems must be in a unique Unix group which will be
> mapped to the NT Domain Group "Domain Users" so the entry in my
> /etc/group (or equivalent in the case of NIS/NIS+) is:
>
> domainUsers:x:800:server$,ws1$,ws2$
...plus any other users (real users) that are domain users.
> This is the line in my smb.conf to create the domain user map file:
>
> domain user map = /usr/local/samba/etc/domain.user.map
>
> The line in domain.user.map is:
>
> domainUsers "Domain Users"
^
you need a tab or an "=" not a space.
> my_workstation's_name$:uid:LM_XXX:NT_XXX:[W]:LTC-XXXX:
^
there are about eight spaces in here.
> o Make sure samba is running before the next step is carried out. if
> this is your first time, just for fun you might like to switch the
> debug log level to about 20. the NT pipes produces some very pretty
> output when decoding requests and generating responses, which would
> be particularly useful to see in tcpdump at some point.
:)
> You should get a wonderful message saying "Welcome to the SAMBA
> Domain."
my favourite part, this.
> On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
> (one for a domain SID of S-1-3... and another for S-1-5) and then an
> LSA_CLOSE or two.
two. one. hang on. LsaOpenPolicy, then _one_ LsaClose. yes. one.
> You may see a pipe connection to a wkssvc pipe, and you may also see
> a "Net Server Get Info" being issued on the srvsvc pipe.
^ ^ ^
remove spaces.
> o Look in log.smbd and if you see a line like:
>
> trust account ws1$ should be in DOMAIN_GROUP_RID_USERS
>
> then something is messed up with the Unix group membership, or the
> domain group map entry for "Domain Users".
... domain group map entry for "Domain Users". Check that all entries
in the map files have "=" or tabs as separators between the unix and nt
names.
thanx once again, bill.
More information about the samba-ntdom
mailing list