From 05b2b2cdd4895b6d2a4d345192bfd4fed1e0ec25 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 1 Jun 2001 11:50:38 +0000 Subject: syncing up with SAMBA_2_2 (This used to be commit 1bc58c21b15fcdb0a504d051f60e20c4e24441e6) --- docs/htmldocs/Samba-PDC-HOWTO.html | 1631 +++++++++++++++++++++++++++++------- 1 file changed, 1339 insertions(+), 292 deletions(-) (limited to 'docs/htmldocs/Samba-PDC-HOWTO.html') diff --git a/docs/htmldocs/Samba-PDC-HOWTO.html b/docs/htmldocs/Samba-PDC-HOWTO.html index 668f7f9aff..883de3a0ab 100644 --- a/docs/htmldocs/Samba-PDC-HOWTO.html +++ b/docs/htmldocs/Samba-PDC-HOWTO.html @@ -1,7 +1,7 @@ How to Configure Samba 2.2.x as a Primary Domain ControllerHow to Configure Samba 2.2 as a Primary Domain ControllerHow to Configure Samba 2.2.x as a Primary Domain ControllerHow to Configure Samba 2.2 as a Primary Domain Controller
Prerequisite Reading

Before you continue readingin this chapter, please make sure +that you are comfortable with configuring basic files services +in smb.conf and how to enable and administrate password +encryption in Samba. Theses two topics are covered in the +smb.conf(5) +manpage and the Encryption chapter +of this HOWTO Collection.

Background

Note: Author's Note : This document -is a combination of David Bannon's Samba 2.2 PDC HOWTO -and the Samba NT Domain FAQ. Both documents are superceeded by this one.

This document is a combination +of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +Both documents are superceeded by this one.

Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2.0:

UNIX_INSTALL.html, please make sure +that your server is configured correctly before proceeding. Another good +resource in the smb.conf(5) man +page. The following functionality should work in 2.2:

Windows 2000 Service Pack 2 Clients

Samba 2.2.1 is required for PDC functionality when using Windows 2000 + SP2 clients. +

The following pieces of functionality are not included in the 2.2 release:

Beginning with Samba 2.2.0, we are proud to announce official -support for Windows NT 4.0 style domain logons from Windows NT -4.0 and Windows 2000 (including SP1) clients. This article -outlines the steps necessary for configuring Samba as a PDC. -Note that it is necessary to have a working Samba server -prior to implementing the PDC functionality. If you have not -followed the steps outlined in UNIX_INSTALL.html, please make sure that your server -is configured correctly before proceeding. Another good -resource in the smb.conf(5) man -page.

Implementing a Samba PDC can basically be divided into 2 broad steps.

  • Configuring the Samba Domain Controller +> Configuring the Samba PDC

  • Creating machine trust accounts - and joining clients to the domain

    Creating machine trust accounts and joining clients + to the domain +

    • Configuring the Samba Domain Controller

    = \\homeserver\%u ; specify a generic logon script for all users - ; this is a relative path to the [netlogon] share + ; this is a relative **DOS** path to the [netlogon] share = 0700

    There are a couple of points to emphasize in the above -configuration.

    There are a couple of points to emphasize in the above configuration.

    As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain in a short space), you should refer to the domain admin users

    Creating Machine Trust Accounts and Joining Clients to the Domain

    First you must understand what a machine trust account is and what -it is used for.

    A machine trust account is a user account owned by a computer. +>A machine trust account is a samba user account owned by a computer. The account password acts as the shared secret for secure -communication with the Domain Controller. Hence the reason that -a Windows 9x host is never a true member of a domain because -it does not posses a machine trust account and thus has no shared -secret with the DC.

    On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in he same location +in the registry. A Samba PDC stores these accounts in the same location as user LanMan and NT password hashes (currently smbpasswd). -However, machine trust accounts only possess the NT password hash.

    Because Samba requires machine accounts to possess a UNIX uid from +which an Windows NT SID can be generated, all of these accounts +must have an entry in /etc/passwd and smbpasswd. +Future releases will alleviate the need to create +/etc/passwd entries.

    There are two means of creating machine trust accounts.

    Manually creating machine trust accounts

    Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -will have an entry in /etc/passwd and smbpasswd. -Future releases will alleviate the need to create -/etc/passwd entries.

    The first step in creating a machine trust account by hand is to +create an entry for the machine in /etc/passwd. This can be done +using vipw or any 'add userr' command which is normally +used to create new UNIX accounts. The following is an example for a Linux +based Samba server:

    root# /usr/sbin/useradd -g 100 -d /dev/null -c machine_nickname -m -s /bin/false machine_name$

    The 

    doppy$:x:505:501:NTMachine:/dev/null:/bin/false
    doppy$:x:505:501:machine_nickname:/dev/null:/bin/false

    If you are manually creating the machine accounts, it is necessary -to add the /etc/passwd (or NIS passwd -map) entry prior to adding the smbpasswd -entry. The following command will create a new machine account -ready for use.

    Above, machine_nickname can be any descriptive name for the +pc i.e. BasementComputer. The machine_name absolutely must be +the netbios name of the pc to be added to the domain. The "$" must append the netbios +name of the pc or samba will not recognize this as a machine account

    Now that the UNIX account has been created, the next step is to create +the smbpasswd entry for the machine containing the well known initial +trust account password. This can be done using the smbpasswd(8) command +as shown here:

    machine_name is the machine's netbios -name.

    If you manually create a machine account, immediately join -the client to the domain. An open account like this -can allow intruders to gain access to user account information -in your domain.

    The second way of creating machine trust accounts is to add -them on the fly at the time the client is joined to the domain. -You will need to include a value for the -

    Join the client to the domain immediately

    Manually creating a machine trust account using this method is the + equivalent of creating a machine account on a Windows NT PDC using + the "Server Manager". From the time at which the account is created + to the time which th client joins the domain and changes the password, + your domain is vulnerable to an intruder joining your domain using a + a machine with the same netbios name. A PDC inherently trusts + members of the domain and will serve out a large degree of user + information to such clients. You have been warned! +

    Creating machine trust accounts "on the fly"

    The second, and most recommended way of creating machine trust accounts +is to create them as needed at the time the client is joined to +the domain. You will need to include a value for the add user script -parameter. Below is an example I use on a RedHat 6.2 Linux system.

    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

    In Samba 2.2.0, In Samba 2.2.1, only the root account can be used to create -machine accounts on the fly like this. Therefore, it is required -to create an entry in smbpasswd for root. -The password . The password +SHOULD be set to s different -password that the associated be set to s different password that the +associated /etc/passwd -entry for security reasons.

    entry for security reasons.

    Common Problems and Errors

    System Policies and Profiles

    Here are some additional details:

    What other help can I get ?

    An SMB enabled version of tcpdump is available from - http://www.tcpdup.org/

  • How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?

    +

    Installing netmon on an NT workstation requires a couple of steps. The following are for installing Netmon V4.00.349, which comes @@ -935,14 +1201,11 @@ CLASS="FILENAME" information on how to do this. Copy the files from a working Netmon installation.

  • The following is a list if helpful URLs and other links: +

    • Mailing Lists

    Domain Control for Windows 9x/ME

    Note: The following section contains much of the original +DOMAIN.txt file previously included with Samba. Much of +the material is based on what went into the book Special +Edition, Using Samba. (Richard Sharpe)

    A domain and a workgroup are exactly the same thing in terms of network +browsing. The difference is that a distributable authentication +database is associated with a domain, for secure login access to a +network. Also, different access rights can be granted to users if they +successfully authenticate against a domain logon server (NT server and +other systems based on NT server support this, as does at least Samba TNG now).

    The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +Network browsing functionality of domains and workgroups is +identical and is explained in BROWSING.txt. It should be noted, that browsing +is total orthogonal to logon support.

    Issues related to the single-logon network model are discussed in this +document. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X clients.

    When an SMB client in a domain wishes to logon it broadcast requests for a +logon server. The first one to reply gets the job, and validates its +password using whatever mechanism the Samba administrator has installed. +It is possible (but very stupid) to create a domain where the user +database is not shared between servers, ie they are effectively workgroup +servers advertising themselves as participating in a domain. This +demonstrates how authentication is quite different from but closely +involved with domains.

    Another thing commonly associated with single-logon domains is remote +administration over the SMB protocol. Again, there is no reason why this +cannot be implemented with an underlying username database which is +different from the Windows NT SAM. Support for the Remote Administration +Protocol is planned for a future release of Samba.

    Network logon support as discussed in this section is aimed at Window for +Workgroups, and Windows 9X clients.

    Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51. +It is possible to specify: the profile location; script file to be loaded +on login; the user's home directory; and for NT a kick-off time could also +now easily be supported. However, there are some differences between Win9X +profile support and WinNT profile support. These are discussed below.

    With NT Workstations, all this does not require the use or intervention of +an NT 4.0 or NT 3.51 server: Samba can now replace the logon services +provided by an NT server, to a limited and experimental degree (for example, +running "User Manager for Domains" will not provide you with access to +a domain created by a Samba Server).

    With Win95, the help of an NT server can be enlisted, both for profile storage +and for user authentication. For details on user authentication, see +security_level.txt. For details on profile storage, see below.

    Using these features you can make your clients verify their logon via +the Samba server; make clients run a batch file when they logon to +the network and download their preferences, desktop and start menu.

    Before launching into the configuration instructions, it is worthwhile looking +at how a Win9X client performs a logon:

    1. The client broadcasts (to the IP broadcast address of the subnet it is in) + a NetLogon request. This is sent to the NetBIOS address DOMAIN<00> at the + NetBIOS layer. The client chooses the first response it receives, which + contains the NetBIOS name of the logon server to use in the format of + \\SERVER. +

    2. The client then connects to that server, logs on (does an SMBsessetupX) and + then connects to the IPC$ share (using an SMBtconX). +

    3. The client then does a NetWkstaUserLogon request, which retrieves the name + of the user's logon script. +

    4. The client then connects to the NetLogon share and searches for this + and if it is found and can be read, is retrieved and executed by the client. + After this, the client disconnects from the NetLogon share. +

    5. The client then sends a NetUserGetInfo request to the server, to retrieve + the user's home share, which is used to search for profiles. Since the + response to the NetUserGetInfo request does not contain much more + the user's home share, profiles for Win9X clients MUST reside in the user + home directory. +

    6. The client then connects to the user's home share and searches for the + user's profile. As it turns out, you can specify the users home share as + a sharename and path. For example, \\server\fred\.profile. + If the profiles are found, they are implemented. +

    7. The client then disconnects from the user's home share, and reconnects to + the NetLogon share and looks for CONFIG.POL, the policies file. If this is + found, it is read and implemented. +

    Configuration Instructions: Network Logons

    To use domain logons and profiles you need to do the following:

    1. Create a share called [netlogon] in your smb.conf. This share should + be readable by all users, and probably should not be writeable. This + share will hold your network logon scripts, and the CONFIG.POL file + (Note: for details on the CONFIG.POL file, how to use it, what it is, + refer to the Microsoft Windows NT Administration documentation. + The format of these files is not known, so you will need to use + Microsoft tools). +

      For example I have used: + 

      [netlogon]
+     path = /data/dos/netlogon
+     writeable = no
+     guest ok = no

      Note that it is important that this share is not writeable by ordinary + users, in a secure environment: ordinary users should not be allowed + to modify or add files that another user's computer would then download + when they log in. +

    2. in the [global] section of smb.conf set the following: + 

      domain logons = yes
+logon script = %U.bat
+

      The choice of batch file is, of course, up to you. The above would + give each user a separate batch file as the %U will be changed to + their username automatically. The other standard % macros may also be + used. You can make the batch files come from a subdirectory by using + something like: + 

      logon script = scripts\%U.bat
+

    3. create the batch files to be run when the user logs in. If the batch + file doesn't exist then no batch file will be run. +

      In the batch files you need to be careful to use DOS style cr/lf line + endings. If you don't then DOS may get confused. I suggest you use a + DOS editor to remotely edit the files if you don't know how to produce + DOS style files under unix. +

    4. Use smbclient with the -U option for some users to make sure that + the \\server\NETLOGON share is available, the batch files are + visible and they are readable by the users. +

    5. you will probabaly find that your clients automatically mount the + \\SERVER\NETLOGON share as drive z: while logging in. You can put + some useful programs there to execute from the batch files. +

    security mode and master browsers

    There are a few comments to make in order to tie up some +loose ends. There has been much debate over the issue of whether +or not it is ok to configure Samba as a Domain Controller in security +modes other than USER. The only security mode +which will not work due to technical reasons is SHARE +mode security. DOMAIN and SERVER +mode security is really just a variation on SMB user level security.

    Actually, this issue is also closer tied to the debate on whether +or not Samba must be the domain master browser for its workgroup +when operating as a DC. While it may technically be possible +to configure a server as such (after all, browsing and domain logons +are two distinctly different functions), it is not a good idea to +so. You should remember that the DC must register the DOMAIN#1b netbios +name. This is the name used by Windows clients to locate the DC. +Windows clients do not distinguish between the DC and the DMB. +For this reason, it is very wise to configure the Samba DC as the DMB.

    Now back to the issue of configuring a Samba DC to use a mode other +than "security = user". If a Samba host is configured to use +another SMB server or DC in order to validate user connection +requests, then it is a fact that some other machine on the network +(the "password server") knows more about user than the Samba host. +99% of the time, this other host is a domain controller. Now +in order to operate in domain mode security, the "workgroup" parameter +must be set to the name of the Windows NT domain (which already +has a domain controller, right?)

    Therefore configuring a Samba box as a DC for a domain that +already by definition has a PDC is asking for trouble. +Therefore, you should always configure the Samba DC to be the DMB +for its domain.

    Configuration Instructions: Setting up Roaming User Profiles

    Warning

    NOTE! Roaming profiles support is different +for Win9X and WinNT.

    Before discussing how to configure roaming profiles, it is useful to see how +Win9X and WinNT clients implement these features.

    Win9X clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the users home share. This means that Win9X +profiles are restricted to being in the user's home directory.

    WinNT clients send a NetSAMLogon RPC request, which contains many fields, +including a separate field for the location of the user's profiles. +This means that support for profiles is different for Win9X and WinNT.

    Windows NT Configuration

    To support WinNT clients, inn the [global] section of smb.conf set the +following (for example):

    logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath

    The default for this option is \\%N\%U\profile, namely +\\sambaserver\username\profile. The \\N%\%U service is created +automatically by the [homes] service. +If you are using a samba server for the profiles, you _must_ make the +share specified in the logon path browseable.

    Note: [lkcl 26aug96 - we have discovered a problem where Windows clients can +maintain a connection to the [homes] share in between logins. The +[homes] share must NOT therefore be used in a profile path.]

    Windows 9X Configuration

    To support Win9X clients, you must use the "logon home" parameter. Samba has +now been fixed so that "net use/home" now works as well, and it, too, relies +on the "logon home" parameter.

    By using the logon home parameter, you are restricted to putting Win9X +profiles in the user's home directory. But wait! There is a trick you +can use. If you set the following in the [global] section of your +smb.conf file:

    logon home = \\%L\%U\.profiles

    then your Win9X clients will dutifully put their clients in a subdirectory +of your home directory called .profiles (thus making them hidden).

    Not only that, but 'net use/home' will also work, because of a feature in +Win9X. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified \\%L\%U for "logon home".

    Win9X and WinNT Configuration

    You can support profiles for both Win9X and WinNT clients by setting both the +"logon home" and "logon path" parameters. For example:

    logon home = \\%L\%U\.profiles
+logon path = \\%L\profiles\%U

    Note: I have not checked what 'net use /home' does on NT when "logon home" is +set as above.

    Windows 9X Profile Setup

    When a user first logs in on Windows 9X, the file user.DAT is created, +as are folders "Start Menu", "Desktop", "Programs" and "Nethood". +These directories and their contents will be merged with the local +versions stored in c:\windows\profiles\username on subsequent logins, +taking the most recent from each. You will need to use the [global] +options "preserve case = yes", "short case preserve = yes" and +"case sensitive = no" in order to maintain capital letters in shortcuts +in any of the profile folders.

    The user.DAT file contains all the user's preferences. If you wish to +enforce a set of preferences, rename their user.DAT file to user.MAN, +and deny them write access to this file.

    1. On the Windows 95 machine, go to Control Panel | Passwords and + select the User Profiles tab. Select the required level of + roaming preferences. Press OK, but do _not_ allow the computer + to reboot. +

    2. On the Windows 95 machine, go to Control Panel | Network | + Client for Microsoft Networks | Preferences. Select 'Log on to + NT Domain'. Then, ensure that the Primary Logon is 'Client for + Microsoft Networks'. Press OK, and this time allow the computer + to reboot. +

    Under Windows 95, Profiles are downloaded from the Primary Logon. +If you have the Primary Logon as 'Client for Novell Networks', then +the profiles and logon script will be downloaded from your Novell +Server. If you have the Primary Logon as 'Windows Logon', then the +profiles will be loaded from the local machine - a bit against the +concept of roaming profiles, if you ask me.

    You will now find that the Microsoft Networks Login box contains +[user, password, domain] instead of just [user, password]. Type in +the samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this +domain and profiles downloaded from it, if that domain logon server +supports it), user name and user's password.

    Once the user has been successfully validated, the Windows 95 machine +will inform you that 'The user has not logged on before' and asks you +if you wish to save the user's preferences? Select 'yes'.

    Once the Windows 95 client comes up with the desktop, you should be able +to examine the contents of the directory specified in the "logon path" +on the samba server and verify that the "Desktop", "Start Menu", +"Programs" and "Nethood" folders have been created.

    These folders will be cached locally on the client, and updated when +the user logs off (if you haven't made them read-only by then :-). +You will find that if the user creates further folders or short-cuts, +that the client will merge the profile contents downloaded with the +contents of the profile directory already on the local client, taking +the newest folders and short-cuts from each set.

    If you have made the folders / files read-only on the samba server, +then you will get errors from the w95 machine on logon and logout, as +it attempts to merge the local and the remote profile. Basically, if +you have any errors reported by the w95 machine, check the unix file +permissions and ownership rights on the profile directory contents, +on the samba server.

    If you have problems creating user profiles, you can reset the user's +local desktop cache, as shown below. When this user then next logs in, +they will be told that they are logging in "for the first time".

    1. instead of logging in under the [user, password, domain] dialog, + press escape. +

    2. run the regedit.exe program, and look in: +

      HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList +

      you will find an entry, for each user, of ProfilePath. Note the + contents of this key (likely to be c:\windows\profiles\username), + then delete the key ProfilePath for the required user. +

      [Exit the registry editor]. +

    3. WARNING - before deleting the contents of the + directory listed in + the ProfilePath (this is likely to be c:\windows\profiles\username), + ask them if they have any important files stored on their desktop + or in their start menu. delete the contents of the directory + ProfilePath (making a backup if any of the files are needed). +

      This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. +

    4. search for the user's .PWL password-cacheing file in the c:\windows + directory, and delete it. +

    5. log off the windows 95 client. +

    6. check the contents of the profile path (see "logon path" described + above), and delete the user.DAT or user.MAN file for the user, + making a backup if required. +

    If all else fails, increase samba's debug log levels to between 3 and 10, +and / or run a packet trace program such as tcpdump or netmon.exe, and +look for any error reports.

    If you have access to an NT server, then first set up roaming profiles +and / or netlogons on the NT server. Make a packet trace, or examine +the example packet traces provided with NT server, and see what the +differences are with the equivalent samba trace.

    Windows NT Workstation 4.0

    When a user first logs in to a Windows NT Workstation, the profile +NTuser.DAT is created. The profile location can be now specified +through the "logon path" parameter.

    Note: [lkcl 10aug97 - i tried setting the path to +\\samba-server\homes\profile, and discovered that this fails because +a background process maintains the connection to the [homes] share +which does _not_ close down in between user logins. you have to +have \\samba-server\%L\profile, where user is the username created +from the [homes] share].

    There is a parameter that is now available for use with NT Profiles: +"logon drive". This should be set to "h:" or any other drive, and +should be used in conjunction with the new "logon home" parameter.

    The entry for the NT 4.0 profile is a _directory_ not a file. The NT +help on profiles mentions that a directory is also created with a .PDS +extension. The user, while logging in, must have write permission to +create the full profile path (and the folder with the .PDS extension) +[lkcl 10aug97 - i found that the creation of the .PDS directory failed, +and had to create these manually for each user, with a shell script. +also, i presume, but have not tested, that the full profile path must +be browseable just as it is for w95, due to the manner in which they +attempt to create the full profile path: test existence of each path +component; create path component].

    In the profile directory, NT creates more folders than 95. It creates +"Application Data" and others, as well as "Desktop", "Nethood", +"Start Menu" and "Programs". The profile itself is stored in a file +NTuser.DAT. Nothing appears to be stored in the .PDS directory, and +its purpose is currently unknown.

    You can use the System Control Panel to copy a local profile onto +a samba server (see NT Help on profiles: it is also capable of firing +up the correct location in the System Control Panel for you). The +NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN +turns a profile into a mandatory one.

    Note: [lkcl 10aug97 - i notice that NT Workstation tells me that it is +downloading a profile from a slow link. whether this is actually the +case, or whether there is some configuration issue, as yet unknown, +that makes NT Workstation _think_ that the link is a slow one is a +matter to be resolved].

    [lkcl 20aug97 - after samba digest correspondance, one user found, and +another confirmed, that profiles cannot be loaded from a samba server +unless "security = user" and "encrypt passwords = yes" (see the file +ENCRYPTION.txt) or "security = server" and "password server = ip.address. +of.yourNTserver" are used. either of these options will allow the NT +workstation to access the samba server using LAN manager encrypted +passwords, without the user intervention normally required by NT +workstation for clear-text passwords].

    [lkcl 25aug97 - more comments received about NT profiles: the case of +the profile _matters_. the file _must_ be called NTuser.DAT or, for +a mandatory profile, NTuser.MAN].

    Windows NT Server

    There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords.

    Sharing Profiles between W95 and NT Workstation 4.0

    Potentially outdated or incorrect material follows

    I think this is all bogus, but have not deleted it. (Richard Sharpe)

    The default logon path is \\%N\U%. NT Workstation will attempt to create +a directory "\\samba-server\username.PDS" if you specify the logon path +as "\\samba-server\username" with the NT User Manager. Therefore, you +will need to specify (for example) "\\samba-server\username\profile". +NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which +is more likely to succeed.

    If you then want to share the same Start Menu / Desktop with W95, you will +need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97 +this has its drawbacks: i created a shortcut to telnet.exe, which attempts +to run from the c:\winnt\system32 directory. this directory is obviously +unlikely to exist on a Win95-only host].

    If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory.

    Note: [lkcl 25aug97 - there are some issues to resolve with downloading of +NT profiles, probably to do with time/date stamps. i have found that +NTuser.DAT is never updated on the workstation after the first time that +it is copied to the local workstation profile directory. this is in +contrast to w95, where it _does_ transfer / update profiles correctly].

    DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

    This appendix was originally authored by John H Terpstra of the Samba Team -and is included here for posterity.

    Possibly Outdated Material

    This appendix was originally authored by John H Terpstra of + the Samba Team and is included here for posterity. +

    Windows NT Server can be installed as either a plain file and print server (WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller).

    The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -However only those servers which have licensed Windows NT code in them can be -a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)

    To many people these terms can be confusing, so let's try to clear the air.