New security=domain code.

Jeremy Allison jallison at whistle.com
Wed Apr 29 23:34:54 GMT 1998


Ok all,

        I have just checked in a bunch of code to the head
branch that allows Samba to act as a member of an NT domain.

It's fiddly to set up and not at all documented as yet...

The (very) brief notes :

Do a build with the current head branch (note that the
Makefile has changed, you will have to use the new one), 
kill all running smbd/nmbds and then set the following 
in your smb.conf :

security=domain
password server=<name of your PDC>
workgroup= <YOUR NT DOMAIN NAME>

Next, log onto the NT PDC as Administrator, and add
the Samba machine to the domain using user manager
for domains. The NetBIOS name you add *must* be the
same name that smbd gets for itself in global_myname
variable (ie. the same name you would set by the parameter
"netbios name=", or the first component of the DNS
name).

Then, as root do :

smbpasswd -j <YOUR NT DOMAIN NAME>

(making sure you're using the smbpasswd you just built :-).

This should change the machine account password for
the new machine in the domain (in a horribly insecure
way, but it's the NT domain security implementation, what
can you do :-). What this does is it stores the machine 
account password in the file:

DOMAIN.NETBIOS_MACHINE_NAME.mac 

in the same directory as the smbpasswd file would be (it 
creates the file on success).

If this step fails, or you wish to see debug output, type 

smbpasswd -D 100 -j <YOUR NT DOMAIN NAME> 

instead of the command above.


Note that when doing security=domain, as opposed
to setting Samba up as a PDC, you do *not* need
to have a machine account in the smbpasswd file,
indeed you don't need to have an smbpasswd file
at all if you don't want any local users.

Now re-start smbd/nmbd.

Go to another NT box (not the PDC, although it
could be) and type:

net use * \\<SAMBA_SERVER_NAME>\<share_name> /user:<YOUR_DOMAIN_NAME>\<username> *

Where :

<SAMBA_SERVER_NAME> = NetBIOS name of Samba server.
<share_name> = share you wish to connect to on Samba server.
<YOUR_DOMAIN_NAME> = Name of the NT Domain you just added
                     the Samba server to.
<username> = Username in the NT Domain that you wish to connect as.

You will be prompted for the password - enter the
password for the given user in the given NT domain.

If all goes well you will get a drive mapped.

If it fails, there should be a message in the
log.smb file showing why the authentication to
the NT PDC didn't work, or crank up the smbd debug
log level to get more details.

Note that the user <username> must still exist
in the unix account database (usually /etc/passwd)
as Samba uses this to map the correct uid to the
user. Note though, that all password authentication
is being done down the secure channel to the NT PDC.
(You can see the details if you start smbd with a 
high debug level :-).

If you're feeling *really* adventurous, then set the
password server= parameter to point to your Samba PDC,
and add the Samba server into the Samba PDC domain
in the same way as normal (note that the Samba PDC
smbd must be running the same cvs code level - ie. the
current head branch - for this to work). The domain
client Samba server will work to a Samba PDC in 
exactly the same way, documented above (look ma, no NT :-).

If you do have a smbpasswd file containing user
accounts on the Samba server setup with security=domain,
you can select authentication to these passwords by replacing
the NTDOMAIN name with the Samba server NetBIOS name
in the example above, eg.

net use * \\<SAMBA_SERVER_NAME>\<share_name> /user:<SAMBA_SERVER_NAME>\<username> *

This is exactly the same as the local SAM account
database on an NT workstation or server that isn't
a PDC/BDC.

Now I'm going on vacation for 4 days - so have fun with
the new code and I'll try and pick up the pieces on
Monday when I return :-).

Cheers,

        Jeremy Allison,
        Samba Team.
-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------


More information about the samba-technical mailing list