NetLogon Service

Sun Mar 5 17:35:11 GMT 2000

I tried last week working with a trust relationship, only to arrive back
at the same thing.  I wonder if NT sends along the logon script info to a
the linux machine (or even another NT machine) if there is a trust
relationship set up from the linux machine to the NT PDC ?  I tried last
Friday to look at www.ntfaq.com but it appears the server was down.

On Mon, 6 Mar 2000, Phil Mayers wrote:

> What! That's outrageous! :o)
> 
> Basically, you're screwed. There's no design provision *anywhere* in
> samba for this kind of thing AFAIK. You're pretty much on your own
> (although that doesn't mean I wouldn't be interested in hearing how to
> do it).
> 
> I think you'll probably have better success using a seperate domain and
> a trust relationship, but even that may prove flaky at best.
> 
> Cheers,
> Phil
> 
> Brian Keats wrote:
> > 
> > Ok, I guess now it's time to come clean.
> > I've set up a few machines on a private network.  The linux machine is acting
> > as a firewall with IP_Masquerading turned on.  To answer your question as to am
> > I sure the linux machine is validating logon requests, yes I am certain it is.
> > I've tried without SAMBA running and the machines don't seem to be able to find
> > the domain controller.  I've added the PDC and BDC's in the lmhosts file on the
> > Win 95 machines and I've watched the packets flying through the "firewall".
> > After reading some postings on the various IP MASQUERADING and IPCHAINS sites
> > I've only come accross a 2 other people attempting to do what I'm trying to do
> > and I saw a suggestion to try SAMBA.  I'm impressed that it's performing the
> > validation procedure and I can verify this because I can issue 'net use'
> > commands from the WIN 95 machines and can also see the same machines through
> > network neighborhood as I can when using another Win95 machine not behind my
> > firewall.  I've looked at the logs with logging turned up but have't been able
> > to exactly figure out what's going on.  The logs don't really show me which
> > interface is being used when IPC services are initiated.  Although, when I
> > first attempted this I made the mistake of putting both the private and public
> > interfaces in the smb.conf 'interfaces' section (without telling any of the NT
> > admins that I was doing this !!!!).  The linux machine then validated users
> > both on the private and public networks but didn't process the logon scripts
> > which are stored on the various network machines !
> > This is the only part I haven't much of an idea on how to handle.  If you've
> > read the previous postings it would very easy if the NT administrators used
> > something like a username (%U).bat to name the logon scripts and kept them all
> > in one directory, but they don't.  It would also be very easy if I only had a
> > couple of users to deal with, at which point I could syncronize a netlogon
> > share with NT machines.  I could possibly work  around this if the NT PDC
> > or BDC would pass along in its logon structure the name and path of the logon
> > script for the validated user.  Maybe NT does do this and a newer samba version
> > would be able to pick this up ? Or maybe my answer is to create my own domain
> > and then create a trust with the NT domain ?
> > 
> > On Fri, 03 Mar 2000, Mayers, P J wrote:
> > > Erm... What? I'm really confused now. Is the machine meant to be a PDC, BDC
> > > or just a server? "server = domain" (and yes, it is a badly named parameter
> > > dammit, but we've been through this discussion a million times, and I see no
> > > need to repeat it) makes the samba server a domain *member*.
> > >
> > > server = security
> > > domain logons = yes
> > > local master = yes
> > >
> > > make it a PDC, and the same with
> > >
> > > local master = no
> > >
> > > Make it a BDC, but that only kind-of works IIRC.
> > >
> > > <Note: I don't use the BDC stuff, and I could be wrong about this>
> > >
> > > So what are you trying to do? A security=domain machine will never serve
> > > logon requests because it's a domain member, hence the netlogon share issue
> > > isn't an issue...
> > >
> > > Wait...
> > >
> > > Reading your original email implies that you *know* you're using it as a
> > > domain member, but also:
> > >
> > > > currently using 2.05 as a member of an NT domain, with security = domain,
> > > to
> > > > process domain logons for a handful of Win95 machines.  The current setup
> > >
> > > That certainly shouldn't work - what's your complete smb.conf? Are you sure
> > > that the samba server is actually the one serving the logon requests? It
> > > shouldn't be in security=domain.
> > >
> > > Cheers,
> > > Phil
> > >
> 