Problems using samba as a PDC

Doug Douglass samba at denverdata.com
Thu Oct 25 15:38:06 GMT 2001


> did you add the NT-machine accounts to the samba-PDC in the
> /etc/passwd and
> /etc/samba/smbpasswd files ?
>

While these are required steps, they may not be sufficient to fix the
problem. See below.

>
> >
> > We succeed in logging into the domain only if we execute the following
> > operations:
> > we log into the NT Client locally as administrator;
> > we successfully join to a dummy workgroup and restart the PC;
> > we log into the NT Client as administrator;
> > we successfully join to the domain and restart the PC.
> >
> > The problem is that if we execute these steps, when an user log into the
> NT
> > machines he has assigned the default profile, and not the local
> profile he
> > has when we use the NT Server as a PDC.
> >
> > Any suggestions?
> >
> > Thanks in advance.
> >
>

Background

Each account in a domain, machine or user, and the domain itself, has a
unique identifier, or SID (similar to unix uid).

The domain SID is part of all the user and machine account SIDs in a domain,
and these SIDs get stored in a domain users profile (the parts of the
registry that are user specific).

If, as you have explained, you simply shutdown your NT PDC and started samba
as a PDC, there is now guarantee that the samba PDC will have the same
domain SID as your NT PDC. This is why you could have the same user in your
NT PDC and your samba PDC, but when they logon they get a different profile.

I hope I explained that well enough.


Here's a suggestion:

*** COMPLETELY UNTESTED *** USE AT YOUR OWN RISK ***

1. Determine the domain SID of your NT PDC (try this from your linux box
"rpcclient <nt pdc machine name> -c "lsaquery" -W <domain name>). The SID
should look something like S-1-5-21-3720025594-2811526445-1635277529.

2. In your samba configuration directory is a file named MACHINE.SID, and it
will have a similar SID value in it. Make a backup copy of the MACHINE.SID
file.

3. Replace the existing SID in MACHINE.SID with the one from the NT PDC.

4. Shutdown NT PDC and start samba PDC

5. Add your machine and user accounts to Samba PDC

6. Try logging in as a domain user and see if the existing locally stored
profile is used.

If the existing local profile is still not being used, check your samba logs
for messages like "cannot find rid [<some number>]".

RIDs are the unique part of an accounts SID -- the set of digits after the
domain SID. The account RID and the profile RID must match in order for your
existing local profiles to be used.

Unfortunately, if you are storing accounts in smbpasswd, I do not know how
you can change an accounts RID (Does samba use the uid?)


Good luck, take it slow, and keep posting to the list (someone must have
tried this before),
Doug





More information about the samba-ntdom mailing list