Problems using samba as a PDC

[Greg Goodrich]

I just subscribed to the group, so please accept my apology if this post
doesn't flow into the proper thread.

I've recently set up samba 2.2.2 on RedHat 7.1 as a PDC with a mixed
network of win98, win2k, NT 4.

This may not be the proper way to resolve all this, but this is how I
got migrated over from an NT4 PDC.

First, I set up the Samba PDC stuff on the new server as per the
instructions in the HOWTO docs available from the samba website.  This
includes setting up users/passwords that were the same as on the old
domain.  Now, we needed to keep our existing PDC on the network for a
while, and it needed to coexist, so we changed the domain name of the
new box, but I'm not certain that that will matter in the grand scheme
of things, assuming that noone tries to run both the NT PDC and the
Linux Samba PDC on the network at the same time.  One important step is
to set up the roaming profile stuff in the Samba settup so that each
user will have a unique place on the server for their roaming profile
(It states in the documentation that this shouldn't be in their "home"
directory; I used a share called [profiles], and set up their path as
the username they logged in with, using the %U macro, something like
this:  logon path = \\%L\profiles\%U)

The next step is to go to each user's machine and back up their roaming
profile into this new share, under the user's subdirectory (this will
have to be created, and it seems to create it in the backup process if
it is typed into the path, just make sure that the dialog box goes away
after the copy, otherwise the copy didn't really work).  A limitation
that seems to exist by using this mechanism is that the user in the new
domain seems to need to be an administrator on their local machine in
order to be able to use this copy of the profile.  I believe that this
is because of the NT/2000 security model, and how it stamps the files in
the profile with access rights to the old domain user.

That being said, it is very important that you can log into each local
machine as a LOCAL administrator NOT a domain admin, as once the domain
is switched out to the new one, the domain admin account will be
unavailable and the new domain account doesn't have privileges on the
local machine at this point.  This is very important!!!

At this point, it is possible to switch over to the new domain on each
machine.  This is done via the networking settings, and changing the
domain name to the new one.  There seems to be somewhat of a "bug" in
Win2k that sometimes when a new domain name is typed in, and okay is
pressed, it will give an error about conflicting permissions of some
sort.  Assuming no misspellings on anything typed in, this error seems
bogus, and causes an extra step of changing the machine to using a
workgroup (pick any name), rebooting, and then changing to the new
domain, with yet another reboot (windows users should be used to this
reboot stuff :)  If the domain names are to remain the same, then this
extra step may be necessary on each machine to accomplish having the
workstation create the machine account on the new PDC.  If the
workstation sees no change in the domain name, it will not prompt to
create a new computer account in the domain.

Now, assuming the last step went okay, and the machine joined the new
domain and rebooted, then it is time to log into the local machine as
administrator.  Once in, set up the user's account (the new domain user
account) as an administrator of the local machine (add to the local
machine's administrator group).  Then log out of the administrator
account, and log in as the user.  If all went well, then the user's
original profile should've made it over intact.  If this last step is
not performed, then the profile will copy from the server to the local
machine, but it will act very strangely.  Certain things appear to work,
while others clearly do not.  Making the user an admin on the local
machine solves these problems (although it may create others for all I
know).

This process works best for non-win9x client machines, as they really
don't join a domain, and don't play nice with others :)

While I am certainly no expert on this stuff, our network does seem to
be working okay with the linux samba PDC.  I'll try to find the time to
answer any ???'s that people may have about the above procedures to the
best of my ability.

--
Greg Goodrich
Senior Software Engineer
MediNotes Corp.
ggoodrich at medinotes.com