NetLogon Service

[Phil Mayers]

What! That's outrageous! :o)

Basically, you're screwed. There's no design provision *anywhere* in
samba for this kind of thing AFAIK. You're pretty much on your own
(although that doesn't mean I wouldn't be interested in hearing how to
do it).

I think you'll probably have better success using a seperate domain and
a trust relationship, but even that may prove flaky at best.

Cheers,
Phil

Brian Keats wrote:
> 
> Ok, I guess now it's time to come clean.
> I've set up a few machines on a private network.  The linux machine is acting
> as a firewall with IP_Masquerading turned on.  To answer your question as to am
> I sure the linux machine is validating logon requests, yes I am certain it is.
> I've tried without SAMBA running and the machines don't seem to be able to find
> the domain controller.  I've added the PDC and BDC's in the lmhosts file on the
> Win 95 machines and I've watched the packets flying through the "firewall".
> After reading some postings on the various IP MASQUERADING and IPCHAINS sites
> I've only come accross a 2 other people attempting to do what I'm trying to do
> and I saw a suggestion to try SAMBA.  I'm impressed that it's performing the
> validation procedure and I can verify this because I can issue 'net use'
> commands from the WIN 95 machines and can also see the same machines through
> network neighborhood as I can when using another Win95 machine not behind my
> firewall.  I've looked at the logs with logging turned up but have't been able
> to exactly figure out what's going on.  The logs don't really show me which
> interface is being used when IPC services are initiated.  Although, when I
> first attempted this I made the mistake of putting both the private and public
> interfaces in the smb.conf 'interfaces' section (without telling any of the NT
> admins that I was doing this !!!!).  The linux machine then validated users
> both on the private and public networks but didn't process the logon scripts
> which are stored on the various network machines !
> This is the only part I haven't much of an idea on how to handle.  If you've
> read the previous postings it would very easy if the NT administrators used
> something like a username (%U).bat to name the logon scripts and kept them all
> in one directory, but they don't.  It would also be very easy if I only had a
> couple of users to deal with, at which point I could syncronize a netlogon
> share with NT machines.  I could possibly work  around this if the NT PDC
> or BDC would pass along in its logon structure the name and path of the logon
> script for the validated user.  Maybe NT does do this and a newer samba version
> would be able to pick this up ? Or maybe my answer is to create my own domain
> and then create a trust with the NT domain ?
> 
> On Fri, 03 Mar 2000, Mayers, P J wrote:
> > Erm... What? I'm really confused now. Is the machine meant to be a PDC, BDC
> > or just a server? "server = domain" (and yes, it is a badly named parameter
> > dammit, but we've been through this discussion a million times, and I see no
> > need to repeat it) makes the samba server a domain *member*.
> >
> > server = security
> > domain logons = yes
> > local master = yes
> >
> > make it a PDC, and the same with
> >
> > local master = no
> >
> > Make it a BDC, but that only kind-of works IIRC.
> >
> > <Note: I don't use the BDC stuff, and I could be wrong about this>
> >
> > So what are you trying to do? A security=domain machine will never serve
> > logon requests because it's a domain member, hence the netlogon share issue
> > isn't an issue...
> >
> > Wait...
> >
> > Reading your original email implies that you *know* you're using it as a
> > domain member, but also:
> >
> > > currently using 2.05 as a member of an NT domain, with security = domain,
> > to
> > > process domain logons for a handful of Win95 machines.  The current setup
> >
> > That certainly shouldn't work - what's your complete smb.conf? Are you sure
> > that the samba server is actually the one serving the logon requests? It
> > shouldn't be in security=domain.
> >
> > Cheers,
> > Phil
> >