Update suggestion for Samba NT Domain FAQ

Luke Kenneth Casson Leighton lkcl at switchboard.net
Mon Feb 22 15:35:53 GMT 1999


bill, thankx.  comments below.

> o To create the machine account on the Samba PDC, first create an

workstation trust account.  there is no such thing as a machine account.

>   All of these systems must be in a unique Unix group which will be
>   mapped to the NT Domain Group "Domain Users" so the entry in my
>   /etc/group (or equivalent in the case of NIS/NIS+) is:
> 
>    domainUsers:x:800:server$,ws1$,ws2$

...plus any other users (real users) that are domain users.

>   This is the line in my smb.conf to create the domain user map file:
> 
>    domain user map = /usr/local/samba/etc/domain.user.map
> 
>   The line in domain.user.map is:
> 
>    domainUsers "Domain Users"
                ^
you need a tab or an "=" not a space.

>    my_workstation's_name$:uid:LM_XXX:NT_XXX:[W]:LTC-XXXX:
                                                ^
there are about eight spaces in here.

> o Make sure samba is running before the next step is carried out. if
>   this is your first time, just for fun you might like to switch the
>   debug log level to about 20. the NT pipes produces some very pretty
>   output when decoding requests and generating responses, which would
>   be particularly useful to see in tcpdump at some point.

:)
 
>   You should get a wonderful message saying "Welcome to the SAMBA
>   Domain."

my favourite part, this.
 
>   On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
>   (one for a domain SID of S-1-3... and another for S-1-5) and then an
>   LSA_CLOSE or two.

two.  one.  hang on.  LsaOpenPolicy, then _one_ LsaClose.  yes.  one.
 
>   You may see a pipe connection to a wkssvc pipe, and you may also see
>   a "Net Server Get Info" being issued on the srvsvc pipe.
          ^      ^   ^
remove spaces.

> o Look in log.smbd and if you see a line like:
> 
>    trust account ws1$ should be in DOMAIN_GROUP_RID_USERS
> 
>   then something is messed up with the Unix group membership, or the
>   domain group map entry for "Domain Users".

...   domain group map entry for "Domain Users".  Check that all entries
in the map files have "=" or tabs as separators between the unix and nt
names.

thanx once again, bill.



More information about the samba-ntdom mailing list