Fwd: Re: NetLogon Service

[Brian Keats]

Actually, it works fine with the validation portion (when set with
security=domain, domain logon=yes, password server = [NT PDC name]).  It
validates users (on client machines behind the firewall) and also those clients
can map drives on the NT domain, etc ...  

Also, I thought  if I set up the SAMBA machine to be a PDC of its own domain a
one way trust relationship from SAMBA to the NT domain would be perfect as I
would want to trust that domain, but I wouldn't necessarily want the NT domain
to trust my domain.  I thought this was part of the strength of the NT domain
trust relationship ideology. I.E. Both parties have to agree for users of both
domains to have access to each others domains but users of one domain can be
trusted in the other domain with the opposite being true. (I believe this
changes with the domain model in Win 2000 though).

Anyway, it's an interesting pickle, if I could only get it the netlogon portion
work !  Thanks for your insight so far Phil.  I'll keep trying different things
and if I ever get this to work the way I want it to I'll let you know.  In the
meantime, I willing to try any other suggestions you might have ....

On Mon, 06 Mar 2000, you wrote:
> "security = user" for a PDC.
> 
> Also, the trust relationship needs to be setup from the other side - you
> can't just add one, the NT domain admin has to do it as well.
> 
> I honestly don't think you're going to get a lot of mileage out of this. If
> the samba "BDC-ish" isn't even bound to the LAN interface, it can't talk to
> the PDC of the NT domain ever, and hence can't get any account parameters.
> 
> It's just full of too many unknowns. I strongly doubt you'll ever get it to
> work properly without the cooperation of your NT domain people.
> 
> The BDC option is really a non-starter - your NT domain admins aren't going
> to let you setup a BDC which you have complete control over, because that
> compromises the security of the entire domain.
> 
> The PDC/Trust option may work, but with varying success. You'll need an
> admin of the domain you're trusting to set things up at the other side also,
> so again cooperation is required.
> 
> Cheers,
> Phil
> 
> -----Original Message-----
> From: Brian Keats
> To: Phil Mayers; bkeats at spiff.chin.gc.ca
> Sent: 3/6/00 12:55 PM
> Subject: Re: Fwd: Re: NetLogon Service
> 
> Hey, thanks Phil.  I wasn't sure if this was the case.  I was kinda
> wondering
> about that.  The beauty here is that although, as you say, it's acting
> as a BDC
> I do not have the NT lan interface in the 'interfaces' section of
> smb.conf. 
> So, the Corporate NT domain doesn't see if as being a PDC.  But on the
> private
> interface it is acting, I guess, as a BDC for the corporate domain.  I
> am
> pointing to the WINS server on the NT domain as the primary WINS server
> though
> and I'm also pointing to the PDC on the corporate LAN as the password
> server.  
> 
> So, now I need to know if an NT PDC does pass along to a BDC when it
> performs
> authentication, here is the location of the logon script, if you have it
> on
> your machine, pass it along to the client.  In which case, I can mirror
> the
> NETLOGON for the PDC on my linux machine.  Once again, I'm back to my
> original
> question, if this is case would a newer version of SAMBA possibly look
> through
> its netlogon service path for this logon script and pass it along to the
> client
> ?  
> 
> Btw, I also tried last week making SAMBA a PDC for a different domain
> (on the
> private interface) and setting up a trust relationship with the
> corporate NT
> PDC, with the hopes that the NT PDC would pass either the logon script,
> or it's
> name and path to the SAMBA machine who would in turn pass it along to
> the
> client.  I'm not sure if I did it right but I changed the WORGROUP
> parameter,
> removed the reference to a password server and made sure things like
> domain
> master = yes and domain logons = yes and security = domain.  With the
> logging
> set to 150, I couldn't determine if this information was being passed
> along to
> the SAMBA server.  Anyone know if this is case ?
> 
> 
> 
> On Mon, 06 Mar 2000, Phil Mayers wrote:
> > Woah! So you have "security = domain, domain logons = yes"... You've
> got
> > it setup as a BDC?? I'd take it down before someone notices if I were
> > you...
> > 
> > Cheers,
> > Phil
> > 
> > Brian Keats wrote:
> > > 
> > > Sorry Matt, I do have domain logons = yes ...
> > > 
> > > On Mon, 6 Mar 2000, Matthew Geddes wrote:
> > > 
> > > > Brian Keats wrote:
> > > > >
> > > > > On Fri, 03 Mar 2000, Kevin Colby wrote:
> > > > > > Brian Keats wrote:
> > > > > > >
> > > > > > > (Did I mention I'm using secuity = domain ?)
> > > > > >
> > > > > > I do not understand what you are trying to do here.
> > > > > > Is this a PDC, BDC, or a domain member?
> > > > > >
> > > > > >       - Kevin Colby
> > > > > >         kevinc at grainsystems.com
> > > > >
> > > > > It's a domain member.  I'm trying to get it to act as a, for the
> lack of a
> > > > > better term, kind of proxy DOMAIN controller.  It's almost doing
> that now
> > > > > except for the part of passing along the logon script to the
> client machine.
> > > > > In other words, the linux machine is validating users by
> contacting the PDC (
> > > > > or one of the BDC's).
> > > >
> > > > I don't see how it can be physically possible. I was under the
> > > > impression that if you have security=domain and no domain
> logons=yes
> > > > line in your smb.conf file, you are rnuning a member server. It
> will not
> > > > process any logons. Once you add the security=user and domain
> > > > logons=yes, you are no longer a member, but a domain controller.
> If you
> > > > join a domain, you are a Backup Domain Controller. Someone else
> will
> > > > know for sure.
> > > >
> > > > At least you don't need to reinstall your unix to go from PDC ->
> BDC ->
> > > > Member server. ;-).
> > > >
> > > > Matt
> > > >
> > > > --
> > > > "Our goal for the next release of Windows 2000 is to have zero
> bugs."
> > > > - Lucovsky, Microsoft
> > > >