[Samba] W2k, SP4 and Domain logon

Damiano G. Preatoni prea at uninsubria.it
Sat Aug 30 18:06:51 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.
Yesterday I had the funny idea of upgrading all my Windows 2000 Professional 
worksations (20 W2k boxes more or less) to SP4.

I run Samba 2.2.8a on a glorious RedHat 6.2, and after the endless 
download-and-reboot I found with no W2K client able to logging in.

I skimmed the mail archives, tried a bunch of suggestion from really a lot of 
postings (a big thank to all who contributed, I should have penciled down a 
list...) and here I am with half a solution.

SERVER SIDE:
check your smb.conf, in particular the [profiles] section. Mine says:

[profiles]
    path = /home/profile
    read only = no
    create mask = 0600
    directory mask = 0700
    force directory mode = 0700
    inherit permissions = yes
    nt acl support = yes
    map system = yes
    map hidden = yes
    browseable = no
    comment = User profile directory on %L (Samba %v PDC)
    profile acls = yes

Note that my server is acting as a PDC:
[global]
    add user script = /usr/sbin/useradd -d /dev/null -g workstations -s 
/bin/false -M %u
    create mask = 0664
    dead time = 0
    debug level = 3
    default case = lower
    dfree command = /sbin/diskfree
    directory mask = 0770
    dns proxy = no
    domain logons = yes
    domain master = yes
    dos filetimes = yes
    encrypt passwords = yes
    hide dot files = yes
    hosts allow = 192.168.1. 127.
    interfaces = 192.168.1.250/255.255.255.0
    load printers = no
    local master = yes
    log file = /var/log/samba/%m.log
    log level = 2
    logon drive = G:
    logon home = \\%L\%u
    logon path = \\%L\profiles\%u
    logon script = logon.bat
    max log size = 50
    name resolve order = host wins bcast
    netbios name = MALAUSSENE
    os level = 64
    passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updat
ed*successfully*
    passwd program = /usr/bin/passwd %u
    password level = 8
    preferred master = yes
    printcap name = /etc/printcap
    security = user
    server string = UAGB Primary Domain Controller (Samba %v PDC)
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    smb passwd file = /etc/samba/smbpasswd
    time server = yes
    unix password sync = yes
    username level = 8
    username map = /etc/samba/smbusers
    wins support = yes
    workgroup = UAGB
    null passwords = no



CLIENT SIDE:
Here comes the workload... one day ot the other I will switch to LTSP 
terminals... 
It seems that with SP4 and the so-called "fix" for the blaster worm the way in 
which a W2K client works changed abruptly.

Anyway, roll up your sleeves and 

login as Administrator
Go to System/Network Identification and place the machine into a WORKGROUP, 
leaving the domain. Don't waste your time rebooting.

Go to Control Panel/Network and Dial-up Connections, pick your LAN connection 
(should be called "Local Area Connection") and go to Properties of the TCP/IP 
protocol.

Set Preferred DNS: 192.168.1.250 (i.e. the samba server IP, it acts also as a 
caching DNS)

Click on "Advanced", go to DNS tab and set
Append primary and connection specific DNS suffixes
Append parent suffixes of the primary DNS suffix

other checkboxes/radiobuttons should be unchecked.

Go to WINS tab. Set the WINS server IP to the IP of the samba server.
DISABLE "Enable LMHOSTS lookup"
ENABLE "Enable NEtBIOS over TCP/IP"

I didn't touch the "Options" tab. No IPSEC, No filtering.


Close everything, go back to System/Network Identification
Make sure that, clicking on "More", the domain where your boxes are is 
specified. I put in "dipbsf.uninsubria.it", which is mine.
UNCHECK the "Change primary DNS suffix when domain membership changes" 
checkbox.

Now click the "Domain" radio button, and rejoin the domain.

Close everything, and this time reboot.

I advise, after the reboot, to log in as Administrator again, and to launch 
(Window/R, or Start/Run) LUSRMGR.MSC and to remove "Domain Users" from the 
"Users" group, and adding it instead to the "Power Users" group.

This way my poor W2k boxes are still able to join the domain and next Monday 
users will be able to login.
Still, the [netlogon] share is unaccessible, and logon script processing still 
doesn't work. My logon script does only a net time \\malaussene /set /yes, 
and mounts six or seven shares.
At present I copied it in the most used share, and I will say to my users to 
manually mount this and launch MOUNT.BAT.

Any further suggestion will be welcome!

BTW: I read about an almost-up-to-date HOWTO that Scott Phelps promised to 
write about PDC, LDAP and so on... any news?

Thanks to all!



- -- 
"I changed my headlights the other day. I put in strobe lights instead! Now
when I drive at night, it looks like everyone else is standing still ..."
		-- Steven Wright
- -----------------------------------------------------------
Damiano G. Preatoni, PhD

Unità  di Analisi e Gestione delle Biocenosi
Dipartimento di Biologia Strutturale e Funzionale
Università  degli Studi dell'Insubria
Via J.H. Dunant, 3 - 21100 Varese (ITALY)

http://biocenosi.dipbsf.uninsubria.it/
ICQ: 78690321
Odigo: 2645129
- -----------------------------------------------------------

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (GNU/Linux)

mQGiBD40aw8RBADACOJXSNuMPg9XhNeJxaMHZVHgCFhQkIP8bQf7ySIwjy8mpIrD
MDK7lyN1tClHp863aiFsNSMLe7lQUcAfBvTsB0xenwBu2U3MkOFaSDtoLprNAbHq
M3V5fMYo2hVRdiKYiIFcoR51d3XC/TA/2LjL61oDpUKkVdEJ13t3/pai3wCg41P2
e9pAXBNZPj9dZKcck+GCVIsD/RU/bEsR94df7fvDMn7HCuxtc6PoL+Gr2ADda2Yh
cLlEgFObcxSutQFH82VHG03ynaQ4x8QKf3NhPeMmcT5D/cwdSt9uT+DvzwCE4EMt
B0W39gGllRS/KP1ByLpLR66BKwvH+TRIzfPAf41kZSEx2uLP6vDJO0MgfVupkMgv
17ZxA/wMY7Fgco5T6VMp2O7y8WozXpsgauCqodlpryhj2h1v4PA/mGnnPhZeuAve
wUkZqFrhGWUJqn4bto3fgeKIKcNjmZADLDeyCd1EkzAkEfNM1qi8QiFG4WRwwkS0
4mutKG2mV39Z1CB/3EOK6Rs41DC2MyW0gwgpP69ocdT1nhIqnLQoRGFtaWFubyBH
LiBQcmVhdG9uaSA8cHJlYUB1bmluc3VicmlhLml0PohZBBMRAgAZBQI+NGsPBAsH
AwIDFQIDAxYCAQIeAQIXgAAKCRBmFqXVbV6HRrtGAJ0SbS6+kPfexAVv0FPBTJhg
O1AzUgCeIfTup9PskKkzxm7oDCBA7R4fd3G5AQ0EPjRrEhAEAPBhd6KNwUavukYs
rKAg4Psf8XxS9PwPnqiCusGKHDsIRe9eRH4ts/e6olr8vccHBbpTtj191gQ42GYS
fZhmPUDeZC/H58bL5Rfwpv3zH8nZnu5zBwbFyC6fA1InOW/K0JUfN1gLphGk+wVW
yECOMoAgGTzc+FVPInnFtLWWVGWXAAMFA/9gatgWAk0mAYnRqBg1V0qxicks17/O
GQzFrkiICROfihhjiQd0c37VziUup7tLGl3QQw54Ah2xkbqwIz70lmoeK1Ur7y05
5kqYx2YFGe2JNyLzi3jYZG5j9SKOhXwpEii4mEyUFHm1qUIllm36Hk6233FSyFcw
XU/PCqZXXa583IhGBBgRAgAGBQI+NGsSAAoJEGYWpdVtXodGRrMAn0ydvZjO+uKt
NeE2431kFSchaxUGAKDEfNuuzBiVutwAX/huqYNuaxdiNQ==
=CwKl
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/UOfFZhal1W1eh0YRAgiAAJ0da8PgtgVuOGRl0nK8bzVOvVp0ZQCgm+n1
BzXq7Q3DB5GiIiXZNQXKS/w=
=faXN
-----END PGP SIGNATURE-----

More information about the samba mailing list