NetLogon Service
Phil Mayers
p.mayers at ic.ac.uk
Sun Mar 5 15:34:28 GMT 2000
What! That's outrageous! :o)
Basically, you're screwed. There's no design provision *anywhere* in
samba for this kind of thing AFAIK. You're pretty much on your own
(although that doesn't mean I wouldn't be interested in hearing how to
do it).
I think you'll probably have better success using a seperate domain and
a trust relationship, but even that may prove flaky at best.
Cheers,
Phil
Brian Keats wrote:
>
> Ok, I guess now it's time to come clean.
> I've set up a few machines on a private network. The linux machine is acting
> as a firewall with IP_Masquerading turned on. To answer your question as to am
> I sure the linux machine is validating logon requests, yes I am certain it is.
> I've tried without SAMBA running and the machines don't seem to be able to find
> the domain controller. I've added the PDC and BDC's in the lmhosts file on the
> Win 95 machines and I've watched the packets flying through the "firewall".
> After reading some postings on the various IP MASQUERADING and IPCHAINS sites
> I've only come accross a 2 other people attempting to do what I'm trying to do
> and I saw a suggestion to try SAMBA. I'm impressed that it's performing the
> validation procedure and I can verify this because I can issue 'net use'
> commands from the WIN 95 machines and can also see the same machines through
> network neighborhood as I can when using another Win95 machine not behind my
> firewall. I've looked at the logs with logging turned up but have't been able
> to exactly figure out what's going on. The logs don't really show me which
> interface is being used when IPC services are initiated. Although, when I
> first attempted this I made the mistake of putting both the private and public
> interfaces in the smb.conf 'interfaces' section (without telling any of the NT
> admins that I was doing this !!!!). The linux machine then validated users
> both on the private and public networks but didn't process the logon scripts
> which are stored on the various network machines !
> This is the only part I haven't much of an idea on how to handle. If you've
> read the previous postings it would very easy if the NT administrators used
> something like a username (%U).bat to name the logon scripts and kept them all
> in one directory, but they don't. It would also be very easy if I only had a
> couple of users to deal with, at which point I could syncronize a netlogon
> share with NT machines. I could possibly work around this if the NT PDC
> or BDC would pass along in its logon structure the name and path of the logon
> script for the validated user. Maybe NT does do this and a newer samba version
> would be able to pick this up ? Or maybe my answer is to create my own domain
> and then create a trust with the NT domain ?
>
> On Fri, 03 Mar 2000, Mayers, P J wrote:
> > Erm... What? I'm really confused now. Is the machine meant to be a PDC, BDC
> > or just a server? "server = domain" (and yes, it is a badly named parameter
> > dammit, but we've been through this discussion a million times, and I see no
> > need to repeat it) makes the samba server a domain *member*.
> >
> > server = security
> > domain logons = yes
> > local master = yes
> >
> > make it a PDC, and the same with
> >
> > local master = no
> >
> > Make it a BDC, but that only kind-of works IIRC.
> >
> > <Note: I don't use the BDC stuff, and I could be wrong about this>
> >
> > So what are you trying to do? A security=domain machine will never serve
> > logon requests because it's a domain member, hence the netlogon share issue
> > isn't an issue...
> >
> > Wait...
> >
> > Reading your original email implies that you *know* you're using it as a
> > domain member, but also:
> >
> > > currently using 2.05 as a member of an NT domain, with security = domain,
> > to
> > > process domain logons for a handful of Win95 machines. The current setup
> >
> > That certainly shouldn't work - what's your complete smb.conf? Are you sure
> > that the samba server is actually the one serving the logon requests? It
> > shouldn't be in security=domain.
> >
> > Cheers,
> > Phil
> >
More information about the samba-ntdom
mailing list