From 992f1e6b8f86b346fddd266b04d29cde69585633 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 7 Apr 2004 10:15:11 +0000 Subject: Add all the source files from the old CVS tree, add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100) --- docs/howto/PDC.xml | 990 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 990 insertions(+) create mode 100644 docs/howto/PDC.xml (limited to 'docs/howto/PDC.xml') diff --git a/docs/howto/PDC.xml b/docs/howto/PDC.xml new file mode 100644 index 0000000000..6d3fa64a24 --- /dev/null +++ b/docs/howto/PDC.xml @@ -0,0 +1,990 @@ + + + + &author.jht; + &author.jerry; + &author.dbannon; + &person.gd; LDAP updates + + +Domain Control + + +There are many who approach MS Windows networking with incredible misconceptions. +That's okay, because it gives the rest of us plenty of opportunity to be of assistance. +Those who really want help would be well advised to become familiar with information +that is already available. + + + +The reader is advised not to tackle this section without having first understood +and mastered some basics. MS Windows networking is not particularly forgiving of +mis-configuration. Users of MS Windows networking are likely to complain +of persistent niggles that may be caused by a broken network configuration. +To a great many people, however, MS Windows networking starts with a Domain Controller +that in some magical way is expected to solve all network operational ills. + + + +The diagram shows a typical MS Windows Domain Security +network environment. Workstations A, B and C are representative of many physical MS Windows +network clients. + + +
An Example Domain. + + + + +
+ + + + + +From the Samba mailing list one can readily identify many common networking issues. +If you are not clear on the following subjects, then it will do much good to read the +sections of this HOWTO that deal with it. These are the most common causes of MS Windows +networking problems: + + + + Basic TCP/IP configuration. + NetBIOS name resolution. + Authentication configuration. + User and group configuration. + Basic file and directory permission control in UNIX/Linux. + Understanding how MS Windows clients interoperate in a network + environment. + + + +Do not be put off; on the surface of it MS Windows networking seems so simple that anyone +can do it. In fact, it is not a good idea to set up an MS Windows network with +inadequate training and preparation. But let's get our first indelible principle out of the +way: It is perfectly okay to make mistakes! In the right place and at +the right time, mistakes are the essence of learning. It is very much not okay to make +mistakes that cause loss of productivity and impose an avoidable financial burden on an +organization. + + + +Where is the right place to make mistakes? Only out of harms way. If you are going to +make mistakes, then please do it on a test network, away from users and in such a way as +to not inflict pain on others. Do your learning on a test network. + + + +Features and Benefits + + +domain security +What is the key benefit of Microsoft Domain Security? + + + +In a word, Single Sign On, or SSO for short. To many, this is the Holy +Grail of MS Windows NT and beyond networking. SSO allows users in a well-designed network +to log onto any workstation that is a member of the domain that their user account is in +(or in a domain that has an appropriate trust relationship with the domain they are visiting) +and they will be able to log onto the network and access resources (shares, files and printers) +as if they are sitting at their home (personal) workstation. This is a feature of the Domain +Security protocols. + + + +SID +The benefits of Domain Security are available to those sites that deploy a Samba PDC. +A Domain provides a unique network security identifier (SID). Domain user and group security +identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to +the account. User and Group SIDs (the network SID plus the RID) can be used to create Access Control +Lists (ACLs) attached to network resources to provide organizational access control. UNIX systems +recognize only local security identifiers. + + + +Network clients of an MS Windows Domain Security Environment must be Domain Members to be +able to gain access to the advanced features provided. Domain Membership involves more than just +setting the workgroup name to the Domain name. It requires the creation of a Domain trust account +for the workstation (called a machine account). Refer to Domain Membership +for more information. + + + +The following functionalities are new to the Samba-3 release: + + + + + Windows NT4 domain trusts. + + + + Nexus.exe + Adding users via the User Manager for Domains. This can be done on any MS Windows + client using the Nexus.exe toolkit for Windows 9x/Me, or using + the SRVTOOLS.EXE package for MS Windows NT4/200x/XP platforms. These packages are + available from Microsoft's Web site. + + + + Introduces replaceable and multiple user account (authentication) + backends. In the case where the backend is placed in an LDAP database, + Samba-3 confers the benefits of a backend that can be distributed, replicated + and is highly scalable. + + + + Implements full Unicode support. This simplifies cross locale internationalization + support. It also opens up the use of protocols that Samba-2.2.x had but could not use due + to the need to fully support Unicode. + + + + +The following functionalities are not provided by Samba-3: + + + +SAM +replication + SAM replication with Windows NT4 Domain Controllers + (i.e., a Samba PDC and a Windows NT BDC or vice versa). This means Samba + cannot operate as a BDC when the PDC is Microsoft-based or + replicate account data to Windows BDCs. + + + + Acting as a Windows 2000 Domain Controller (i.e., Kerberos and + Active Directory). In point of fact, Samba-3 does have some + Active Directory Domain Control ability that is at this time + purely experimental that is certain to change as it becomes a + fully supported feature some time during the Samba-3 (or later) + life cycle. However, Active Directory is more then just SMB &smbmdash; + it's also LDAP, Kerberos, DHCP, and other protocols (with proprietary + extensions, of course). + + + + The Windows 200x/XP MMC (Computer Management) Console can not be used + to manage a Samba-3 server. For this you can use only the MS Windows NT4 + Domain Server manager and the MS Windows NT4 Domain User Manager. Both are + part of the SVRTOOLS.EXE package mentioned later. + + + + +Windows 9x/Me/XP Home clients are not true members of a domain for reasons outlined +in this chapter. The protocol for support of Windows 9x/Me style network (domain) logons +is completely different from NT4/Windows 200x type domain logons and has been officially supported +for some time. These clients use the old LanMan Network Logon facilities that are supported +in Samba since approximately the Samba-1.9.15 series. + + + +Samba-3 implements group mapping between Windows NT groups +and UNIX groups (this is really quite complicated to explain in a short space). This is +discussed more fully in Group Mapping &smbmdash; MS Windows and UNIX. + + + +Machine Trust Accounts +Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store +user and Machine Trust Account information in a suitable backend data-store. +Refer to MS Windows Workstation/Server Machine Trust Accounts. With Samba-3 there can be multiple +backends for this. A complete discussion of account database backends can be found in +Account Information Databases. + + + + + +Basics of Domain Control + + +Over the years, public perceptions of what Domain Control really is has taken on an +almost mystical nature. Before we branch into a brief overview of Domain Control, +there are three basic types of Domain Controllers. + + + +Domain Controller Types + + + Primary Domain Controller + Backup Domain Controller + ADS Domain Controller + + + +The Primary Domain Controller or PDC plays an important role in MS +Windows NT4. In Windows 200x Domain Control architecture, this role is held by Domain Controllers. +Folklore dictates that because of its role in the MS Windows +network, the Domain Controller should be the most powerful and most capable machine in the network. +As strange as it may seem to say this here, good overall network performance dictates that +the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-alone +(Domain Member) servers than in the Domain Controllers. + + + +SAM +In the case of MS Windows NT4-style domains, it is the PDC that initiates a new Domain Control database. +This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key +part in NT4-type domain user authentication and in synchronization of the domain authentication +database with Backup Domain Controllers. + + + +With MS Windows 200x Server-based Active Directory domains, one Domain Controller initiates a potential +hierarchy of Domain Controllers, each with their own area of delegated control. The master domain +controller has the ability to override any downstream controller, but a down-line controller has +control only over its down-line. With Samba-3, this functionality can be implemented using an +LDAP-based user and machine account backend. + + + +New to Samba-3 is the ability to use a backend database that holds the same type of data as +the NT4-style SAM database (one of the registry files)See also Account Information Databases.. + + + +The Backup Domain Controller or BDC plays a key role in servicing network +authentication requests. The BDC is biased to answer logon requests in preference to the PDC. +On a network segment that has a BDC and a PDC, the BDC will most likely service network +logon requests. The PDC will answer network logon requests when the BDC is too busy (high load). +A BDC can be promoted to a PDC. If the PDC is online at the time that a BDC is promoted to +PDC, the previous PDC is automatically demoted to a BDC. With Samba-3, this is not an automatic +operation; the PDC and BDC must be manually configured and changes also need to be made. + + + +With MS Windows NT4, a decision is made at installation to determine what type of machine the server will be. +It is possible to promote a BDC to a PDC and vice versa. The only way +to convert a Domain Controller to a Domain Member server or a Stand-alone Server is to +reinstall it. The install time choices offered are: + + + + Primary Domain Controller &smbmdash; the one that seeds the domain SAM. + Backup Domain Controller &smbmdash; one that obtains a copy of the domain SAM. + Domain Member Server &smbmdash; one that has no copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls. + Stand-alone Server &smbmdash; one that plays no part is SAM synchronization, has its own authentication database and plays no role in Domain Security. + + + +With MS Windows 2000, the configuration of Domain Control is done after the server has been +installed. Samba-3 is capable of acting fully as a native member of a Windows 200x server +Active Directory domain. + + + +replicationSAM +New to Samba-3 is the ability to function fully as an MS Windows NT4-style Domain Controller, +excluding the SAM replication components. However, please be aware that Samba-3 also supports the +MS Windows 200x Domain Control protocols. + + + +At this time any appearance that Samba-3 is capable of acting as an +Domain Controller in native ADS mode is limited and experimental in nature. +This functionality should not be used until the Samba Team offers formal support for it. +At such a time, the documentation will be revised to duly reflect all configuration and +management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP +environment. However, there are certain compromises: + + + No machine policy files. + No Group Policy Objects. + No synchronously executed AD logon scripts. + Can't use Active Directory management tools to manage users and machines. + Registry changes tattoo the main registry, while with AD they do not leave permanent changes in effect. + Without AD you cannot perform the function of exporting specific applications to specific users or groups. + + + + + + +Preparing for Domain Control + + +There are two ways that MS Windows machines may interact with each other, with other servers +and with Domain Controllers: either as Stand-alone systems, more commonly +called Workgroup members, or as full participants in a security system, +more commonly called Domain members. + + + +It should be noted that Workgroup membership involves no special configuration +other than the machine being configured so the network configuration has a commonly used name +for its workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this +mode of configuration, there are no Machine Trust Accounts and any concept of membership as such +is limited to the fact that all machines appear in the network neighborhood to be logically +grouped together. Again, just to be clear: workgroup mode does not involve security machine +accounts. + + + +Domain Member machines have a machine account in the Domain accounts database. A special procedure +must be followed on each machine to effect Domain Membership. This procedure, which can be done +only by the local machine Administrator account, will create the Domain machine account (if it does +not exist), and then initializes that account. When the client first logs onto the +Domain it triggers a machine password change. + + + +When Samba is configured as a Domain Controller, secure network operation demands that +all MS Windows NT4/200x/XP Professional clients should be configured as Domain Members. +If a machine is not made a member of the Domain, then it will operate like a workgroup +(Stand-alone) machine. Please refer to Domain Membership chapter for +information regarding Domain Membership. + + + +The following are necessary for configuring Samba-3 as an MS Windows NT4-style PDC for MS Windows +NT4/200x/XP clients: + + + + Configuration of basic TCP/IP and MS Windows networking. + Correct designation of the Server Role (securityuser). + Consistent configuration of Name ResolutionSee Network Browsing, and + Integrating MS Windows Networks with Samba.. + Domain logons for Windows NT4/200x/XP Professional clients. + Configuration of Roaming Profiles or explicit configuration to force local profile usage. + Configuration of network/system policies. + Adding and managing domain user accounts. + Configuring MS Windows client machines to become Domain Members. + + + +The following provisions are required to serve MS Windows 9x/Me clients: + + + + Configuration of basic TCP/IP and MS Windows networking. + Correct designation of the server role (securityuser). + Network Logon Configuration (since Windows 9x/Me/XP Home are not technically domain + members, they do not really participate in the security aspects of Domain logons as such). + Roaming Profile Configuration. + Configuration of System Policy handling. + Installation of the network driver Client for MS Windows Networks and configuration + to log onto the domain. + Placing Windows 9x/Me clients in User Level Security &smbmdash; if it is desired to allow + all client share access to be controlled according to domain user/group identities. + Adding and managing domain user accounts. + + + +Roaming Profiles and System/Network policies are advanced network administration topics +that are covered in the Desktop Profile Management and +System and Account Policies chapters of this document. However, these are not +necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts. + + + +A Domain Controller is an SMB/CIFS server that: + + + + + Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts + as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast, + to a WINS server over UDP uni-cast, or via DNS and Active Directory). + + + + Provides the NETLOGON service. (This is actually a collection of services that runs over + multiple protocols. These include the LanMan Logon service, the Netlogon service, + the Local Security Account service, and variations of them.) + + + + Provides a share called NETLOGON. + + + + +It is rather easy to configure Samba to provide these. Each Samba Domain Controller must provide +the NETLOGON service that Samba calls the domain logons functionality +(after the name of the parameter in the &smb.conf; file). Additionally, one server in a Samba-3 +Domain must advertise itself as the Domain Master BrowserSee Network Browsing.. +This causes the Primary Domain Controller to claim a domain-specific NetBIOS name that identifies it as a +Domain Master Browser for its given domain or workgroup. Local master browsers in the same domain or workgroup on +broadcast-isolated subnets then ask for a complete copy of the browse list for the whole wide area network. +Browser clients will then contact their Local Master Browser, and will receive the domain-wide browse list, +instead of just the list for their broadcast-isolated subnet. + + + + + + +Domain Control &smbmdash; Example Configuration + + +The first step in creating a working Samba PDC is to understand the parameters necessary +in &smb.conf;. An example &smb.conf; for acting as a PDC can be found in the next example. + + + + +smb.conf for being a PDC +[global] +netbios nameBELERIAND +workgroup&example.workgroup; +passdb backendtdbsam +os level33 +preferred masteryes +domain masteryes +local masteryes +securityuser +domain logonsyes +logon path\\%N\profiles\%u +logon driveH: +logon home\\homeserver\%u\winprofile +logon scriptlogon.cmd + +[netlogon] +path/var/lib/samba/netlogon +read onlyyes +write listntadmin + +[profiles] +path/var/lib/samba/profiles +read onlyno +create mask0600 +directory mask0700 + + + + +The basic options shown in this example are explained as follows: + + + + passdb backend + + This contains all the user and group account information. Acceptable values for a PDC + are: smbpasswd, tdbsam, and ldapsam. The guest entry provides + default accounts and is included by default, there is no need to add it explicitly. + + + Where use of backup Domain Controllers (BDCs) is intended, the only logical choice is + to use LDAP so the passdb backend can be distributed. The tdbsam and smbpasswd files + cannot effectively be distributed and therefore should not be used. + + + Domain Control Parameters + + The parameters os level, preferred master, domain master, security, + encrypt passwords, and domain logons play a central role in assuring domain + control and network logon support. + + + The os level must be set at or above a value of 32. A Domain Controller + must be the Domain Master Browser, must be set in user mode security, + must support Microsoft-compatible encrypted passwords, and must provide the network logon + service (domain logons). Encrypted passwords must be enabled. For more details on how + to do this, refer to Account Information Databases. + + + Environment Parameters + + The parameters logon path, logon home, logon drive, and logon script are + environment support settings that help to facilitate client logon operations and that help + to provide automated control facilities to ease network management overheads. Please refer + to the man page information for these parameters. + + + NETLOGON Share + + The NETLOGON share plays a central role in domain logon and Domain Membership support. + This share is provided on all Microsoft Domain Controllers. It is used to provide logon + scripts, to store Group Policy files (NTConfig.POL), as well as to locate other common + tools that may be needed for logon processing. This is an essential share on a Domain Controller. + + + PROFILE Share + + This share is used to store user desktop profiles. Each user must have a directory at the root + of this share. This directory must be write-enabled for the user and must be globally read-enabled. + Samba-3 has a VFS module called fake_permissions that may be installed on this share. This will + allow a Samba administrator to make the directory read-only to everyone. Of course this is useful + only after the profile has been properly created. + + + + + +The above parameters make for a full set of parameters that may define the server's mode +of operation. The following &smb.conf; parameters are the essentials alone: + + + + +netbios nameBELERIAND +workgroup&example.workgroup; +domain logonsYes +domain masterYes +securityUser + + + + +The additional parameters shown in the longer listing above just makes for +a more complete explanation. + + + + + +Samba ADS Domain Control + + +Samba-3 is not, and cannot act as, an Active Directory Server. It cannot truly function as +an Active Directory Primary Domain Controller. The protocols for some of the functionality +of Active Directory Domain Controllers has been partially implemented on an experimental +only basis. Please do not expect Samba-3 to support these protocols. Do not depend +on any such functionality either now or in the future. The Samba Team may remove these +experimental features or may change their behavior. This is mentioned for the benefit of those +who have discovered secret capabilities in Samba-3 and who have asked when this functionality will be +completed. The answer is maybe or maybe never! + + + +To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style +Domain Controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have +a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it +is not Windows Server 200x, it is not an Active Directory server. We hope this is plain and simple +enough for all to understand. + + + + + +Domain and Network Logon Configuration + + +The subject of Network or Domain Logons is discussed here because it forms +an integral part of the essential functionality that is provided by a Domain Controller. + + + +Domain Network Logon Service + + +All Domain Controllers must run the netlogon service (domain logons +in Samba). One Domain Controller must be configured with domain masterYes +(the Primary Domain Controller); on all Backup Domain Controllers domain masterNo +must be set. + + + +Example Configuration + + +smb.conf for being a PDC +[global] +domain logonsYes +domain master(Yes on PDC, No on BDCs) + +[netlogon] +commentNetwork Logon Service +path/var/lib/samba/netlogon +guest okYes +browseableNo + + + + +The Special Case of MS Windows XP Home Edition + + +To be completely clear: If you want MS Windows XP Home Edition to integrate with your +MS Windows NT4 or Active Directory Domain Security, understand it cannot be done. +The only option is to purchase the upgrade from MS Windows XP Home Edition to +MS Windows XP Professional. + + + +MS Windows XP Home Edition does not have the ability to join any type of Domain +Security facility. Unlike MS Windows 9x/Me, MS Windows XP Home Edition also completely +lacks the ability to log onto a network. + + + +Now that this has been said, please do not ask the mailing list or email any of the +Samba Team members with your questions asking how to make this work. It can't be done. +If it can be done, then to do so would violate your software license agreement with +Microsoft, and we recommend that you do not do that. + + + + + +The Special Case of Windows 9x/Me + + +A domain and a workgroup are exactly the same in terms of network +browsing. The difference is that a distributable authentication +database is associated with a domain, for secure login access to a +network. Also, different access rights can be granted to users if they +successfully authenticate against a domain logon server. Samba-3 does this +now in the same way as MS Windows NT/200x. + + + +The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +Network browsing functionality of domains and workgroups is identical and +is explained in this documentation under the browsing discussions. +It should be noted that browsing is totally orthogonal to logon support. + + + +Issues related to the single-logon network model are discussed in this +section. Samba supports domain logons, network logon scripts and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients, +which are the focus of this section. + + + +When an SMB client in a domain wishes to logon, it broadcasts requests for a +logon server. The first one to reply gets the job, and validates its +password using whatever mechanism the Samba administrator has installed. +It is possible (but ill advised ) to create a domain where the user +database is not shared between servers, i.e., they are effectively workgroup +servers advertising themselves as participating in a domain. This +demonstrates how authentication is quite different from but closely +involved with domains. + + + +Using these features you can make your clients verify their logon via +the Samba server; make clients run a batch file when they logon to +the network and download their preferences, desktop and start menu. + + + +MS Windows XP Home edition is not able to join a domain and does not permit +the use of domain logons. + + + +Before launching into the configuration instructions, it is +worthwhile to look at how a Windows 9x/Me client performs a logon: + + + + + + The client broadcasts (to the IP broadcast address of the subnet it is in) + a NetLogon request. This is sent to the NetBIOS name DOMAIN<#1c> at the + NetBIOS layer. The client chooses the first response it receives, which + contains the NetBIOS name of the logon server to use in the format of + \\SERVER. + + + + + + The client connects to that server, logs on (does an SMBsessetupX) and + then connects to the IPC$ share (using an SMBtconX). + + + + + + The client does a NetWkstaUserLogon request, which retrieves the name + of the user's logon script. + + + + + + The client then connects to the NetLogon share and searches for said script. + If it is found and can be read, it is retrieved and executed by the client. + After this, the client disconnects from the NetLogon share. + + + + + + The client sends a NetUserGetInfo request to the server to retrieve + the user's home share, which is used to search for profiles. Since the + response to the NetUserGetInfo request does not contain much more than + the user's home share, profiles for Windows 9x clients must reside in the user + home directory. + + + + + + The client connects to the user's home share and searches for the + user's profile. As it turns out, you can specify the user's home share as + a share name and path. For example, \\server\fred\.winprofile. + If the profiles are found, they are implemented. + + + + + + The client then disconnects from the user's home share and reconnects to + the NetLogon share and looks for CONFIG.POL, the policies file. If this is + found, it is read and implemented. + + + + + +The main difference between a PDC and a Windows 9x/Me logon server configuration is: + + + + + Password encryption is not required for a Windows 9x/Me logon server. But note + that beginning with MS Windows 98 the default setting is that plain-text + password support is disabled. It can be re-enabled with the registry + changes that are documented in System and Account Policies. + + + + Windows 9x/Me clients do not require and do not use Machine Trust Accounts. + + + + +A Samba PDC will act as a Windows 9x/Me logon server; after all, it does provide the +network logon services that MS Windows 9x/Me expect to find. + + + +Use of plain-text passwords is strongly discouraged. Where used they are easily detected +using a sniffer tool to examine network traffic. + + + + + + +Security Mode and Master Browsers + + +There are a few comments to make in order to tie up some loose ends. There has been +much debate over the issue of whether it is okay to configure Samba as a Domain +Controller in security modes other than user. The only security mode that will +not work due to technical reasons is share-mode security. Domain and server mode +security are really just a variation on SMB User Level Security. + + + +Actually, this issue is also closely tied to the debate on whether +Samba must be the Domain Master Browser for its workgroup +when operating as a DC. While it may technically be possible +to configure a server as such (after all, browsing and domain logons +are two distinctly different functions), it is not a good idea to do +so. You should remember that the DC must register the DOMAIN<#1b> NetBIOS +name. This is the name used by Windows clients to locate the DC. +Windows clients do not distinguish between the DC and the DMB. +A DMB is a Domain Master Browser &smbmdash; see Configuring WORKGROUP Browsing section. +For this reason, it is wise to configure the Samba DC as the DMB. + + + +Now back to the issue of configuring a Samba DC to use a mode other than +securityuser. If a Samba host is +configured to use another SMB server or DC in order to validate user connection requests, +it is a fact that some other machine on the network (the password server) +knows more about the user than the Samba host. About 99% of the time, this other host is +a Domain Controller. Now to operate in domain mode security, the workgroup +parameter must be set to the name of the Windows NT domain (which already has a Domain Controller). +If the domain does not already have a Domain Controller, you do not yet have a Domain. + + + +Configuring a Samba box as a DC for a domain that already by definition has a +PDC is asking for trouble. Therefore, you should always configure the Samba DC +to be the DMB for its domain and set securityuser. +This is the only officially supported mode of operation. + + + + + + + +Common Errors + + + <quote>$</quote> Cannot Be Included in Machine Name + +A machine account, typically stored in /etc/passwd, takes the form of the machine +name with a $ appended. FreeBSD (and other BSD systems) will not create a user with a +$ in the name. + + + +The problem is only in the program used to make the entry. Once made, it works perfectly. +Create a user without the $. Then use vipw to edit the entry, adding +the $. Or create the whole entry with vipw if you like; make sure you use a unique user login ID. + + +The machine account must have the exact name that the workstation has. + + +The UNIX tool vipw is a common tool for directly editing the /etc/passwd file. + + + + + +Joining Domain Fails Because of Existing Machine Account + + +I get told, `You already have a connection to the Domain....' or `Cannot join domain, the +credentials supplied conflict with an existing set...' when creating a Machine Trust Account. + + + +This happens if you try to create a Machine Trust Account from the machine itself and already have a +connection (e.g., mapped drive) to a share (or IPC$) on the Samba PDC. The following command +will remove all network drive connections: + +&dosprompt;net use * /d + + + + +Further, if the machine is already a member of a workgroup that +is the same name as the domain you are joining (bad idea) you will +get this message. Change the workgroup name to something else, it +does not matter what, reboot, and try again. + + + + +The System Cannot Log You On (C000019B) + +I joined the domain successfully but after upgrading +to a newer version of the Samba code I get the message, `The system +cannot log you on (C000019B), Please try again or consult your +system administrator when attempting to logon.' + + + +SID +This occurs when the domain SID stored in the secrets.tdb database +is changed. The most common cause of a change in domain SID is when +the domain name and/or the server name (NetBIOS name) is changed. +The only way to correct the problem is to restore the original domain +SID or remove the domain client from the domain and rejoin. The domain +SID may be reset using either the net or rpcclient utilities. + + + +To reset or change the domain SID you can use the net command as follows: + + +&rootprompt;net getlocalsid 'OLDNAME' +&rootprompt;net setlocalsid 'SID' + + + + +Workstation Machine Trust Accounts work only with the Domain (or network) SID. If this SID changes +Domain Members (workstations) will not be able to log onto the domain. The original Domain SID +can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join +it to the domain. + + + + + +The Machine Trust Account Is Not Accessible + + +When I try to join the domain I get the message, `The machine account +for this computer either does not exist or is not accessible'. What's +wrong? + + + +This problem is caused by the PDC not having a suitable Machine Trust Account. +If you are using the add machine script method to create +accounts then this would indicate that it has not worked. Ensure the domain +admin user system is working. + + + +Alternately, if you are creating account entries manually then they +have not been created correctly. Make sure that you have the entry +correct for the Machine Trust Account in smbpasswd file on the Samba PDC. +If you added the account using an editor rather than using the smbpasswd +utility, make sure that the account name is the machine NetBIOS name +with a $ appended to it (i.e., computer_name$). There must be an entry +in both /etc/passwd and the smbpasswd file. + + + +Some people have also reported that inconsistent subnet masks between the Samba server and the NT +client can cause this problem. Make sure that these are consistent for both client and server. + + + + +Account Disabled + +When I attempt to login to a Samba Domain from a NT4/W200x workstation, +I get a message about my account being disabled. + + +Enable the user accounts with smbpasswd -e username +. This is normally done as an account is created. + + + + + +Domain Controller Unavailable + +Until a few minutes after Samba has started, clients get the error `Domain Controller Unavailable' + + +A Domain Controller has to announce its role on the network. This usually takes a while. Be patient for up to fifteen minutes, +then try again. + + + + +Cannot Log onto Domain Member Workstation After Joining Domain + + +schannel +signing +After successfully joining the domain, user logons fail with one of two messages: one to the +effect that the Domain Controller cannot be found; the other claims that the account does not +exist in the domain or that the password is incorrect. This may be due to incompatible +settings between the Windows client and the Samba-3 server for schannel +(secure channel) settings or smb signing settings. Check your Samba +settings for client schannel, server schannel, client signing, server signing +by executing: + +testparm -v | more and looking for the value of these parameters. + + + + +Also use the Microsoft Management Console &smbmdash; Local Security Settings. This tool is available from the +Control Panel. The Policy settings are found in the Local Policies/Security Options area and are prefixed by +Secure Channel: ..., and Digitally sign ..... + + + +It is important that these be set consistently with the Samba-3 server settings. + + + + + +
-- cgit