Update for Samba NT Domain FAQ with corrections

Gerald Carter cartegw at Eng.Auburn.EDU
Thu Feb 25 22:04:19 GMT 1999


I've been fairly silent as of late.  Things have been 
busy.  Here's my take on things.  I am updating the FAQ as 
I write.

First let me state that running a PDC, Samba or NT, 
requires knowledge of NT.  There is no way around 
this.  You need to know things about how NT caches
user profiles and how system policies are downloaded.
Also what's the difference between the GINA and LSA.

Also have to through this in.

[HKLM\SOFTWARE|Microsoft=Windows NT\WinLogon]

does **not** prevent profiles from being cached locally.
It only deletes the cache when the user logs out and
the profile information has been successfully updated 
on the server.  If the machine Blue Screens prior to this, 
the cache is left on the machine.  [sorry, had to get 
that one out]

Bill Nugent wrote:
> FAQ for Samba NTDOM PDC support
> 2.2. How do I get my NT Workstation / Server to login to the Samba
> controlled Domain?
> o Obtain the latest main branch samba code (see question 2.1)
> o Set up samba with encrypted passwords: see ENCRYPTION.txt (probably
>   out of date: you no longer need the DES libraries, but other than
>   that, ENCRYPTION.txt is current).
>   At this point, you ought to test that your samba server is
>   accessible correctly with encrypted passwords, before progressing
>   with any of the NT workstation-specific bits: it's up to you.
> o To create the trust account for each computer to join the 
>   domain with
>   Samba as the PDC, first create an account in /etc/passwd (or
>   equivalent in the case of NIS / NIS+) for the username
>   <my_workstation's_name$> for each system in the domain including
>   the Samba PDC.

Do not need to include an entry for the Samba PDC.

>   Currently the uid is all that will be used and this is to ensure
>   that the samba generated machine RID for the worstation account will
>   be unique.  Therefore you should not reuse unix uid's in
>   /etc/passwd.  The shell or home directory fields in /etc/passwd are
>   not used for now and can be set to /bin/False and /dev/null
>   respectively.
>   On my Samba PDC (server.example.com) the /etc/passwd entries look
>   like this:
>    ws1$:Dummy:801:800:NT Workstation 1:/dev/null:/bin/false
>    ws2$:Dummy:802:800:NT Workstation 2:/dev/null:/bin/false
>   All of these systems must be in a unique Unix group which will be
>   mapped to the NT Domain Group "Domain Users" so the entry in my
>   /etc/group (or equivalent in the case of NIS/NIS+) is:
>    domainUsers:x:800:server$,ws1$,ws2$


[an aside to Luke...

	Can you set the debug level hugh for the "machine$ 
	should be in group Domain Users" message.  Really seems 
	to be causing a lot of confusion.

	There is no reason that I can think of not to have 
	the group hard coded for workstation trust accounts.
	Am I wrong?

...end of aside]

>   This group should have members all of the other users (real users)
>   (hmmm...I don't think I'm doing this but it seems to work)
>   This is the line in my smb.conf to create the domain user map file:
>    domain user map = /usr/local/samba/etc/domain.user.map
>   The line in domain.user.map is:
>    domainUsers = "Domain Users"
>   The double quotes are needed or else the line is misparsed.

This is correct, but again not neccessary for workstation trust

>   Then run the following commands:
>    # smbpasswd -a -m server

not needed for the PDC

>    # smbpasswd -a -m ws1
>    # smbpasswd -a -m ws2
>   This will create an entry in the private/smbpasswd file in the form
>   of
>    my_workstation's_name$:uid:LM_XXX:NT_XXX:[W        ]:LTC-XXXX:
>   The LM_XXX and NT_XXX fields are the ascii representations of the 16
>   byte LanMan and NT MD4 hashes respectively of the password
>   "my_workstation's_name".
>   If you reload Windows NT on a system then you will need to
>   regenerate the entry in smbpasswd.

How about saying this like...

When a machine joins a domain it uses the default 
password (i.e. it's netbios name in lower case letters.  
Once it has successfully joined the  domain, the client 
will change it's password to some random value using 
the old password a the encryption key.  Therefore if you 
must rejoin the domain, you must reset the pasword for 
the workstation trust account on the sersver. 

>   At the moment the 2.1-pre-alpha source tree version of smbpasswd is
>   broken for Redhat 5.2 but the version in the 2.0.2 release works.

2.0 is not PDC code period.  Regardless of whether not parts of 
it work that way.

> o If you want to have a domain wide policy settings then use the NT
>   Policy Editor (see question 5.1 to see how to get it) to create
>   ntconfig.pol and then place it in the root of the [netlogon] share.

This is not really part of adding a machine to the domain.
So i thinkI'm going to leave it a a separate item.

> o If you want the NT profiles stored on the server then make sure the
>   systems are in time sync.  This can be done by setting the in the
>   logon script by including the line "NET \\server /TIME /SET" and by
>   granting all users the right to set the system time.  Probably a
>   better way is to have an NTP broadcast on your network (maybe from
>   the Samba PDC) and run clients on the NT workstations.  If you don't
>   do this then it is possible for profile updates to fail under some
>   circumstatnces.

Same here.  Not really part of adding to a domain.

>   In the Samba 2.0.0 and 2.0.2 releases the RedHat sample smb.conf
>   file need this line added to [Profiles] share:
>    writeable = true

2.0 PDC is broken, so I'm leaving this part out.  

> o If using NT server to log in, run the User Manager for Domains, and
>   add the capability to "Log in Locally" to the policies, which you
>   would have to do even if you were logging in to another NT PDC
>   instead of a Samba PDC.
<snip orginal text>
> ...
> 2.6.  My Roaming Profiles are not updating!
> o Make sure the Directory Replicator Service is running and setup on
>   the NT Workstation:  Go to each workstation, Control Panel,
>   Services, set Directory Replicator Service to Automatic and start it
>   running.  Go to the Control Panel, Server, Replication, enable
>   Import Directories, add the Samba PDC.

Huh?  Have never had to do this.  This is from the Wks 
Resource Kit...

The copying of a master set of directories from a server 
(called an export server) to specified servers or workstations 
(called import computers) in the same or other domains. 
Replication simplifies the task of maintaining identical sets 
of directories and files on multiple computers, because only 
a single master copy of the data must be maintained. Files 
are replicated when they are added to an exported directory, 
and every time a change is saved to the file. See also 
Directory Replicator service.

Has nothing to do with profiles.

> o Make sure your systems have the same time.


> o Make sure the Profiles share is writable by the client (e.g., this
>   should already be working in a non-domain login for the user).


> o Look in log.smbd and if you see a line like:
>    trust account ws1$ should be in DOMAIN_GROUP_RID_USERS
>   then something is messed up with the Unix group membership, or the
>   domain group map entry for "Domain Users".  Check that all entries
>   in the map files have "=" or tabs as separators between the Unix
>   NT names.

This doesn't matter.

> o Make sure the file permissions and ownerships in the [Profiles]
>   share are correct.

Yes.  Should be checked when verify write access (up to admin 
to do this obviously)

> o None of the above has fixed it and are feeling desperate?  Then
>   either this trouble shooting list is incomplete (likely) or something
>   is confused (very likely) - try rebooting the NT box and while NT is
>   not running (e.g., BIOS is counting memory) restart the smbd & nmbd
>   just in case a change you made hasn't been incorporated...desperate
>   times require desperate measures.  I've noticed NT can get confused
>   if I've restarted my Samba servertoo many times or the phase of the
>   moon is wrong.  Someone should write smbpom (SMB Phase Of Moon)
>   program to display the inner workings of NT ;^)

?????  Methinks I'll leave this out as well.

> 2.7   My domain member computer is not reading the policy file from
>       the server!
> o Make sure the Directory Replicator Service is running and setup on
>   the NT Workstation:  Go to each workstation, Control Panel,
>   Services, set Directory Replicator Service to Automatic and start it
>   running.  Go to the Control Panel, Server, Replication, enable
>   Import Directories, add the Samba PDC.

Again, nothing to do with policies (unless I am dastardly wrong)

> o Make sure your NTconfig.pol file is in the right place - in the
>   [netlogon] share's root directory and the file permissions are
>   set so it is readable.


	locking = no
	broweable = yes

and play with case settings.


Thanks for the rewrite.  I'm working on updating things now.  May not
finish until tomorrow morning.

                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at eng.auburn.edu             http://www.eng.auburn.edu/users/cartegw

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )

More information about the samba-ntdom mailing list