Proposal: Good Neighbor Policy

Cole, Timothy D. timothy_d_cole at
Mon Dec 20 19:21:30 GMT 1999

> -----Original Message-----
> From:	Jeremy Allison [SMTP:jeremy at]
> Sent:	Monday, December 20, 1999 13:10
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	Re: Proposal:  Good Neighbor Policy
> "John E. Malmberg" wrote:
> > It appears that there is some incompatabilities between the browser
> protocol
> > that NT uses and the protocol that Microsoft documents.
> Well, we work on the protocol we see on the wire, not in the
> docs :-). Seriously, we are not incompatible with the MS
> browsing protocol, you just have to know how browsing works
> in order to set up a working network. But that's the same
> even in an MS-only environment.
> > Based on these experiences, I always recommend that anyone adding SAMBA
> to
> > an NT domain, not allow the SAMBA box to take part in browser elections.
	There are no real problems with Samba's browsing implementation
itself, but certain easy misconfigurations can still cause severe problems.
(I've been fortunate to have such an understanding IS staff to deal with, or
we might not still be running Samba today)

	Part of the problem is that the docmentation does not necessarily
make it plain what the correct configuration should be.  Here are some of
the issues I have encountered when trying to peacefully coexist in an
NT-dominated network:

	 1. You need a valid guest user for proper browsing with NT (the
default is not always valid!)
	    It would appear that NT insists on making anonymous connections
to servers for some browsing purposes, even though the user is
authenticated.  As a consequence of this, there needs to be a functioning
guest account.  For most systems, the Samba default of "nobody" (often
userid -2 or similar) is fine.

	However, under at least some configurations of HP-UX 10.xx (and most
likely some other Unices with similar pedigree), it is not possible to
set{e,}uid() to userid -2 (even as root).  As a result of this, on such
systems you will need to create another login-less account (i.e. "smb") that
Samba can setuid() to for servicing certain requests.  Until we created such
an account and set it as the guest account, our HP-UX Samba servers royally
fscked up browsing in any workgroup/domain they entered.

	Under some conditions it may also be necessary to set "map to guest
= bad user" (or more liberal) so that browsing continues to work as expected
even for users that do not have accounts on the Unix machines. (under most
circumstances you will then want to be sure to set "guest = no" for your

	 2. Don't make the mistake of putting a non-PDC Samba server into an
NT domain with "domain master = yes"

	While PDC and DMB functionality are not really _directly_ related to
each other, NT often appears to assume that whatever has the 0x1d (DMB) WINS
record also has 0x1c (PDC) -- i.e. is the PDC.  Problems caused by a Samba
server taking 0x1d may not manifest themselves immediately, but will at
least interfere with BDC promotion down the road.

	 3. At least one server in a workgroup/domain needs to be a DMB

	For workgroups/domains containing only Samba servers, you will need
to explicitly make one of them the DMB, at least in cases where you have
multiple subnets.  However, be careful if you later move such a box into a
domain... that's how I discovered #2...

	As noted above, in a domain, NT will be happiest if you follow the
simple rule, "Make the DMB the same machine as the PDC."

	I don't really have time to prepare a documentation patch, or I
would; would someone else like to take a stab at it?

More information about the samba-technical mailing list