NetLogon Service

[Brian Keats]

Ok, I guess now it's time to come clean.  
I've set up a few machines on a private network.  The linux machine is acting
as a firewall with IP_Masquerading turned on.  To answer your question as to am
I sure the linux machine is validating logon requests, yes I am certain it is. 
I've tried without SAMBA running and the machines don't seem to be able to find
the domain controller.  I've added the PDC and BDC's in the lmhosts file on the
Win 95 machines and I've watched the packets flying through the "firewall". 
After reading some postings on the various IP MASQUERADING and IPCHAINS sites
I've only come accross a 2 other people attempting to do what I'm trying to do
and I saw a suggestion to try SAMBA.  I'm impressed that it's performing the
validation procedure and I can verify this because I can issue 'net use'
commands from the WIN 95 machines and can also see the same machines through
network neighborhood as I can when using another Win95 machine not behind my
firewall.  I've looked at the logs with logging turned up but have't been able
to exactly figure out what's going on.  The logs don't really show me which
interface is being used when IPC services are initiated.  Although, when I
first attempted this I made the mistake of putting both the private and public
interfaces in the smb.conf 'interfaces' section (without telling any of the NT
admins that I was doing this !!!!).  The linux machine then validated users
both on the private and public networks but didn't process the logon scripts
which are stored on the various network machines !  
This is the only part I haven't much of an idea on how to handle.  If you've
read the previous postings it would very easy if the NT administrators used
something like a username (%U).bat to name the logon scripts and kept them all
in one directory, but they don't.  It would also be very easy if I only had a
couple of users to deal with, at which point I could syncronize a netlogon
share with NT machines.  I could possibly work  around this if the NT PDC
or BDC would pass along in its logon structure the name and path of the logon
script for the validated user.  Maybe NT does do this and a newer samba version
would be able to pick this up ? Or maybe my answer is to create my own domain
and then create a trust with the NT domain ?


On Fri, 03 Mar 2000, Mayers, P J wrote:
> Erm... What? I'm really confused now. Is the machine meant to be a PDC, BDC
> or just a server? "server = domain" (and yes, it is a badly named parameter
> dammit, but we've been through this discussion a million times, and I see no
> need to repeat it) makes the samba server a domain *member*.
> 
> server = security
> domain logons = yes
> local master = yes
> 
> make it a PDC, and the same with
> 
> local master = no
> 
> Make it a BDC, but that only kind-of works IIRC.
> 
> <Note: I don't use the BDC stuff, and I could be wrong about this>
> 
> So what are you trying to do? A security=domain machine will never serve
> logon requests because it's a domain member, hence the netlogon share issue
> isn't an issue...
> 
> Wait...
> 
> Reading your original email implies that you *know* you're using it as a
> domain member, but also:
> 
> > currently using 2.05 as a member of an NT domain, with security = domain,
> to
> > process domain logons for a handful of Win95 machines.  The current setup
> 
> That certainly shouldn't work - what's your complete smb.conf? Are you sure
> that the samba server is actually the one serving the logon requests? It
> shouldn't be in security=domain.
> 
> Cheers,
> Phil
>