[Samba] [found something] Problems making use of 2K PDC

John H Terpstra jht at samba.org
Fri Jan 31 16:05:06 GMT 2003


On Fri, 31 Jan 2003, Andreas Hasenack wrote:

> Em Fri, Jan 31, 2003 at 03:01:30PM +0000, John H Terpstra escreveu:
> > > And, since the w2k server is on a different subnet, I don't think I can make it
> > > the logon server for my clients, or can I? I mean, broadcasts mean a lot in a
> > > MS network...
> >
> > You must use WINS to avoid broadcast traffic. With WINS the important UDP
> > traffic will be unicast. WINS can reduce UDP broadcast traffic by up to
> > 95%. Using WINS, you clients will readilly locate the logon server. I
> > would recommend not using file and print shares over the WAN link though.
>
> But how does the windows client find out who the domain controller is for
> a specific domain? Does WINS advertise that info too?
> When I make a windows client join a domain, it never asks me for the name
> of the domain controller... Just the name of the domain.

Firstly, when you use WINS you configure one machine as your WINS server.
Then ALL SMB clients (Samba as well as MS Windows) get configured (part of
the TCP/IP stack configuration) to use that WINS server.

Now when the client starts up it registers with the WINS server. As it
starts it's networking services it registers various name types with the
WINS server also. The Domain Controllers that are providing the NETLOGON
services do this also.

The MS Windows client will then ask the WINS server for the IP address of
machines that have registered for their domain name (let's call it
MYDOMTHING) MYDOMTHING<1c> - the <1c> type means it runs the netlogon
service.

The client then connects to one of the addresses it obtained from thr WINS
server to commence the logon proceesses. WINS is you best friend - DNS
does NOT allow name type lookups that are particular to NetBIOS
networking over TCP/IP.

Please read the documentation - all of this is explained in the
Entire-HOWTO-Collection for which there is a link on the SWAT home page.

> > > Should I then just make the clients authenticate against the remote w2k machine
> > > anyway? I know, in both scenarios, the w2k server will be contacted anyway, either
> > > by the samba server or by the linux client.
> >
> > Correct. That's my recommendation.
>
> What about using security = server, point the password server at the w2k
> machine and set domain logons = yes? Should this work?

Yes, it will work. However, be aware that SERVER mode security does a few
very nasty things. Because the machine is NOT a trusted domain member it
needs to step around some old bugs. SERVER mode security causes samba to
send a bogus username/password pair before trying the real
username/password pair. It needs to do this so that an old bug that was
present in some MS Windows systems does not inadvertently allow a user
with a wrong set of credentials (username/password pair) to gain system
access. If we did not do this then it could be used as a potential root
exploit

So what does this mean? Well, if your Win2K adminsitrator has set a
lockout threashold on the number of bad logins for a user, then this may
be triggered, Alternatively, the Event log on the Win2K machine will
record errors for each authentication attempt.

The undesirability applies only to use of MS WIndows NT4/2K authentication
servers, with samba<->samba authentication this poses no issues and is how
we can achieve a BDC type role.

My clear preference is to make the samba server a full Win2K domain
member. Of course the Win2K needs to be running either in NT4 domain
security mode _or_ Active Directory in mixed mode.

- John T.
-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list