From f95fb5fe3941a0ef916ac85c6ccf4aecf17aaf39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 19 Apr 2001 21:33:44 +0000 Subject: large sync up with 2.2 (This used to be commit 96523293da19df201703fed6130f1ff9ba25324b) --- docs/htmldocs/samba-pdc-faq.html | 1509 ++++++++++++++++---------------------- 1 file changed, 637 insertions(+), 872 deletions(-) (limited to 'docs/htmldocs/samba-pdc-faq.html') diff --git a/docs/htmldocs/samba-pdc-faq.html b/docs/htmldocs/samba-pdc-faq.html index ec8efaff4b..058a5d5f51 100644 --- a/docs/htmldocs/samba-pdc-faq.html +++ b/docs/htmldocs/samba-pdc-faq.html @@ -44,45 +44,24 @@ NAME="AEN12" >

Comments, corrections and additions to <D.Bannon@latrobe.edu.au>

This is the FAQ for Samba 2.2 as an NTDomain controller. +> This is the FAQ for Samba 2.2 as an NTDomain controller. This document is derived from the origional FAQ that was built and - maintained by Gerald Carter - from the early days of Samba NTDomain development up until recently. - It is now being updated as significent changes are made to 2.2.0.

Please note it does not apply to Samba2.2alpha0, Samba2.2alpha1, Samba 2.0.7, TNG nor HEAD branch. -

I'll repeat, it does not apply to the current snapshot [ftp mirror]:/pub/samba/alpha/samba-2.2.0-alpha1.tar.gz, only to the to the current cvs.

Please note it does not apply to the SAMBA_TNG nor the HEAD branch. +

Also available is a Samba 2.2 PDC HowTo that takes you, step - by step, over the process of setting up a very basic Samba 2.2 Primary Domain Controller -

Note: Please read the Introduction for the current state of play.

HOWTO + that takes you, step by step, over the process of setting up a very basic Samba + 2.2 Primary Domain Controller +

1. Introduction
State of Play
Introduction
2. General Information
What can we do ?
What can Samba Primary Domain Controller (PDC) do ?What can Samba 2.2.x Primary Domain Controller (PDC) do ?
Can I have a Windows 2000 client logon to a Samba controlled domain?
What's the status of print spool (spoolss) support in the NTDOM code?Can I have a Windows 2000 client logon to a Samba +controlled domain?
CVS
What are the different Samba branches available in CVS ?
What are the CVS commands ?
3. Establishing Connections
How do I get my NT4 or W2000 Workstation to login to the Samba controlled Domain?How do I get my NT4 or W2000 Workstation to login to the Samba +controlled Domain?
What is a 'machine account' ?
"The machine account for this computer either does not exist or is not accessable.""The machine account for this computer either does not +exist or is not accessable."
How do I create machine accounts manually ?
I cannot include a '$' in a machine name.
I get told "You already have a connection to the Domain...." when creating a - machine account.I get told "You already have a connection to the Domain...." +when creating a machine account.
I get told "Cannot join domain, the credentials supplied conflict - with an existing set.."I get told "Cannot join domain, the credentials supplied +conflict with an existing set.."
"The system can not log you on (C000019B)...."
4. User Account Management
Domain Admins
How do I configure an account as a domain administrator?
Profiles
Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?Why is it bad to set "logon path = \\%N\%U\profile" in +smb.conf?
Why are all the users listed in the "domain admin users" using the same profile?Why are all the users listed in the "domain admin users" using the +same profile?
The roaming profiles do not seem to be updating on the server.The roaming profiles do not seem to be updating on the +server.
Policies
What are 'Policies' ?.
I can't get system policies to work.
What about Windows NT Policy Editor ?
Can Win95 do Policies ?
Passwords
What is password sync and should I use it ?
How do I get remote password (unix and SMB) changing working ?
5. Miscellaneous
What editor can I use in DOS/Windows that won't mess with my unix EOFWhat editor can I use in DOS/Windows that won't +mess with my unix EOF
How do I get 'User Manager' and 'Server Manager'
The time setting from a Samba server does not work.
"trust account xxx should be in DOMAIN_GROUP_RID_USERS"
How do I get my samba server to become a member ( not PDC ) of an NT domain?
6. Troubleshooting and Bug Reporting
Diagnostic tools
What are some diagnostics tools I can use to debug the domain logon process and where can I find them?
How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?How do I install 'Network Monitor' on an NT Workstation +or a Windows 9x box?
What other help can I get ?
URLs and similar
How do I get help from the mailing lists ?
How do I get off the mailing lists ?

Chapter 1. Introduction

State of Play

It should be noted that 2.2.0 in its pre-release form still has a few problems, - I'll try and keep this section current while things are still dynamic. - At the time of this update (December 15, 2000) the current state of play is :

Comments here about W2K joining the domain apply only to Samba 2.2 from the CVS after November 27th. The - 'snapshot' release Samba2.2alpha1 does not work !!! See below on how to get a CVS tree.

Known Bug !W2K machines will not successfully join a domain with a name that - is made up from an even number of characters. Yep, thats right ! BIOTEST is OK as is MYDOMAI - but MYDOMAIN will not work until this bug is fixed. Hmm.., we believe - that this bug is fixed, but see below.

Known Bug !After some bugs were fixed just before - Christmas, W2K SP1 machines cannot join the domain. Expected to be - fixed early in the new year. Whats that ? yeah, samba developers - have a Christmas break too !

Know Bug !NTs (and possibly W2K ?) are not told the logged on user is a domain - admin if the parameter "domain admin users = user" is used. The alternative, "domain admin group" - does work. See the HowTo.

Client Side creation of Machine accounts does work but is not complete. - Firstly, the add user script runs as the user who's - name was entered, not as root. Secondly, the machine name passed to the script (%U) - has an underscore at the end, not a '$'. One alternative is to use %m and add the $. - This method is documented in the HowTo. - And thirdly, it does not work with NT4ws. -

A W2K machine can join the domain. See the HowTo - which explains the process. The methods - described are 'work arounds' and should be regarded as temporary. Although I (drb) - have tested these procedures a number of people have had difficulty so there - may be other issues at work. JFM is aware of these - problems and will attend to them when he can.

A Domain Admin account is required and at present it appears that only root - is a suitable candidate.

Much of the related code does work. For example, if an NT is removed from the domain and then rejoins, the

Actually I'm - not sure that last paragraph is correct ....

Policies do work on a W2K machine. MS says that recent builds of - W2K dont observe an NT policy but it appears it does in 'legacy' mode.

do work on a W2K machine. MS says that recent + builds of W2K dont observe an NT policy but it appears it does in 'legacy' + mode.

Introduction

This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing with the 'old head' - version of Samba and its NTDomain facilities. It is being rewritten by David Bannon (drb) - so that it addresses more accurately the Samba 2.2 planned for release late 2000.

This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing + with the 'old HEAD' version of Samba and its NTDomain facilities. It is + being rewritten by David Bannon (drb) so that it addresses more + accurately the Samba 2.2.x release. +

This document probably still contains some material that does not apply to - Samba 2.2 but most (all?) of the really misleading stuff has been removed. Some - issues are not dealt with or are dealt with badly. Please send corrections and additions to - David Bannon at D.Bannon@latrobe.edu.au

This document probably still contains some material that does not apply + to Samba 2.2 but most (all?) of the really misleading stuff has been + removed. Some issues are not dealt with or are dealt with badly. Please + send corrections and additions to David Bannon. +

Hopefully, as we all become familiar with the Samba 2.2 as a PDC this document will - become much more usefull.

Hopefully, as we all become familiar with the Samba 2.2 as a + PDC this document will become much more usefull.

Chapter 2. General Information

What can we do ?

What can Samba Primary Domain Controller (PDC) do ?What can Samba 2.2.x Primary Domain Controller (PDC) do ?

If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 or W2000 client, then you - will need to obtain the 2.2.0 version, currently in pre-release. Release of a stable, - full featured Samba PDC is currently slated for version 3.0.

If you wish to have Samba act as a PDC for Windows NT 4.0/2000 client, + then you will need to obtain the 2.2.0 version. Release of a stable, + full featured Samba PDC is currently slated for version 3.0. +

The following is a list of included features currently in Samba 2.2:

The following is a list of included features currently in + Samba 2.2: +

  • The ability to act as a limited PDC for Windows NT and W2000 clients. - This includes adding NT and W2K machines to the domain and authenticating users logging - into the domain.

    The ability to act as a limited PDC for + Windows NT and W2000 clients. This includes adding NT and + W2K machines to the domain and authenticating users logging + into the domain.

  • Domain account can be viewed using the User Manager for - Domains ????

    Domain account can be viewed using the User + Manager for Domains

  • Viewing resources on the Samba PDC via the Server Manager for Domains - from the NT client. ??

    Viewing/adding/deleting resources on the Samba + PDC via the Server Manager for Domains from the NT client. +

  • Windows 95 clients will allow user level security to be set - but will not currently allow browsing of accounts.

    Windows 95/98/ME clients will allow user + level security to be set and browsing of domain accounts. +

  • Changing of user passwords from an NT client.

  • Partial support for Windows NT group and username mapping.

  • Support for a LDAP password database backend.

    Changing of user passwords from an NT client. +

  • Printing.

    Partial support for Windows NT username mapping. + Group name mapping is slated for a later release.

These things are note expected to work in the forseeable future: +

These things are note expected to work in the forseeable future

  • PDC and BDC integration

  • Windows NT ACLs (on the Samba shares)

  • Offer a list of domain users to User Manager for Domains - (or the Security Tab etc).

Can I have a Windows 2000 client logon to a Samba controlled domain?Can I have a Windows 2000 client logon to a Samba +controlled domain?

The 2.2 release branch of Samba supports Windows 2000 domain - clients in legacy mode, ie as if the PDC is a NTServer, not a - W2K server.

What's the status of print spool (spoolss) support in the NTDOM code?

The implementation of support for SPOOLSS pipe is complete and it will be available - in the 2.2.0 release. This means that Samba will support the automatic downloading of printer - drivers for Windows NT clients just as it currently does for Windows 9x clients.

The 2.2 release branch of Samba supports Windows 2000 domain + clients in legacy mode, ie as if the PDC is a NTServer, not a + W2K server. +

CVS

CVS is a programme (publically available) that the Samba developers use to - maintain the central source code. Non developers can get access to the source in - a read only capacity. Many flavours of unix now arrive with cvs installed.

CVS is a programme (publically available) that the Samba developers + use to maintain the central source code. Non developers can get + access to the source in a read only capacity. Many flavours of unix + now arrive with cvs installed.

What are the different Samba branches available in CVS ?

You can find out more about obtaining Samba's via - anonymous CVS from - You can find out more about obtaining Samba's via anonymous + CVS from http://pserver.samba.org/samba/cvs.html".

http://pserver.samba.org/samba/cvs.html. +

There are basically four branches to watch at the moment : +

There are basically four branches to watch at the moment :

HEAD

Samba 3.0 ? This code boasts all the main development - work in Samba. Two things that most people are not aware of - which live in the HEAD branch code are winbind NSS module and - Tim Potter's VFS implementation. Due to its developmental +>Samba 3.0 ? This code boasts all the main + development work in Samba. Due to its developmental nature, its not really suitable for production work. -

SAMBA_2_0

This branch contains the current stable release release. - At the moment it contains 2.0.7, a version that will do some - limited PDC stuff. If you are really going to do PDC things then - I (drb) suggest that you consider 2.2 instead. -

This branch contains the previous stable + release. At the moment it contains 2.0.8, a version that + will do some limited PDC stuff. If you are really going to + do PDC things, you consider 2.2 instead. +

SAMBA_2_2

The next stable release, currently in a 'alpha' form. - It provides the Samba developers, testers and interested - people with an approximation of what is to come. This document - addresses only SAMBA_2_2. -

The 2.2.x release branch which is a subset + of the features of the HEAD branch. This document addresses + only SAMBA_2_2. +

SAMBA_TNG

This branch is no longer maintained from the Samba sites. - Please see This branch is no longer maintained from the Samba + sites. Please see http://www.samba-tng.org/. It has been requested - that questions about TNG are not posted to the regular Samba mailing - lists including samba-ntdom and samba-technical. -

What are the CVS commands ?

See See http://pserver.samba.org/samba/cvs.html

To get the Samba 2.2 version, tag SAMBA_2_2 you would do :

  • For example : cd /usr/local/src/

  • cvs -d :pserver:cvs@pserver.samba.org:/cvsroot - login

  • When prompted enter a password of cvs

  • cvs -d :pserver:cvs@pserver.samba.org:/cvsroot - co -r SAMBA_2_2 samba

Then to update that directory at some later time,

  • cd /usr/local/src/samba

  • cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login

  • When prompted enter a password of 'cvs'.

  • cvs update -d -P

for instructions + on obtaining the SAMBA_2_2 or HEAD cvs code. +

Chapter 3. Establishing Connections

How do I get my NT4 or W2000 Workstation to login to the Samba controlled Domain?How do I get my NT4 or W2000 Workstation to login to the Samba +controlled Domain?

There is a comprehensive Samba PDC There is a comprehensive Samba PDC HowTo - accessable from the samba web site - under 'Documentation'. Its currently located at http://bioserve.latrobe.edu.au/samba. Read it.

HOWTO accessable from the samba web + site under 'Documentation'. Read it. +

What is a 'machine account' ?

Every NT, W2K or Samba machine that joins a Samba controlled domain must be known to - the Samba PDC. There are two entries required, one in (typically) Every NT, W2K or Samba machine that joins a Samba controlled + domain must be known to the Samba PDC. There are two entries + required, one in (typically) /etc/passwd and the other in (typically) /usr/local/samba/private/smbpasswd. Under - some circumstances these entries are made . + Under some circumstances these entries are made + manually, the - , the HowTo discusses ways of creating them automatically.

HOWTO + discusses ways of creating them automatically.

"The machine account for this computer either does not exist or is not accessable.""The machine account for this computer either does not +exist or is not accessable."

When I try to join the domain I get the message "The machine account for this computer - either does not exist or is not accessable". Whats wrong ?

When I try to join the domain I get the message "The machine account + for this computer either does not exist or is not accessable". Whats + wrong ? +

This problem is caused by the PDC not having a suitable machine account. +> This problem is caused by the PDC not having a suitable machine account. If you are using the add user script = method to create accounts - then this would indicate that it has not worked. Ensure the domain admin user - system is working.

Alternatively if you are creating account entries manually then they have not been created - correctly. Make sure that you have the entry correct for the machine account in smbpasswd - file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, - make sure that the account name is the machine netbios name with a '$' appended to it - ( ie. computer_name$ ). There must be an entry in both /etc/passwd and - the smbpasswd file. Some people have reported that - inconsistent subnet masks between the Samba server and the NT client have caused this problem. - Make sure that these are consistent for both client and server.

method to create + accounts then this would indicate that it has not worked. Ensure the domain + admin user system is working. +

Alternatively if you are creating account entries manually then they + have not been created correctly. Make sure that you have the entry + correct for the machine account in smbpasswd file on the Samba PDC. + If you added the account using an editor rather than using the smbpasswd + utility, make sure that the account name is the machine netbios name + with a '$' appended to it ( ie. computer_name$ ). There must be an entry + in both /etc/passwd and the smbpasswd file. Some people have reported + that inconsistent subnet masks between the Samba server and the NT + client have caused this problem. Make sure that these are consistent + for both client and server. +

How do I create machine accounts manually ?

This was the only option until recently, now in version 2.2 better means are available. - You might still need to do it manually for a couple of reasons. A machine account - consists of two entries (assuming a standard install and /etc/passwd use), - one in /etc/passwd and the other in /usr/local/samba/private/smbpasswd. The /etc/passwd - entry will list the machine name with a $ appended, won't have a passwd, will have a null - shell and no home directory. For example a machine called 'doppy' would have an /etc/passwd - entry like this :

This was the only option until recently, now in version 2.2 better + means are available. You might still need to do it manually for a + couple of reasons. A machine account consists of two entries (assuming + a standard install and /etc/passwd use), one in /etc/passwd and the + other in /usr/local/samba/private/smbpasswd. The /etc/passwd + entry will list the machine name with a $ appended, won't have a + passwd, will have a null shell and no home directory. For example + a machine called 'doppy' would have an /etc/passwd entry like this :

doppy$:x:505:501:NTMachine:/dev/null:/bin/false

+

On a linux system for example, you would typically add it like this :

On a linux system for example, you would typically add it like + this : +

adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n - doppy$

+

Then you need to add that entry to smbpasswd, assuming you have a suitable +> Then you need to add that entry to smbpasswd, assuming you have a suitable path to the smbpasswd programme, do this :

programme, do this : +

smbpasswd -a -m doppy$

+

The entry will be created with a well known password, so any machine that - says its doppy could join the domain as long as it gets in first. So don't create - the accounts any earlier than you need them.

The entry will be created with a well known password, so any machine that + says its doppy could join the domain as long as it gets in first. So + don't create the accounts any earlier than you need them. +

I cannot include a '$' in a machine name.

A 'machine name' in (typically) A 'machine name' in (typically) /etc/passwd consists - of the machine name with a '$' appended. FreeBSD (and other BSD systems ?) - won't create a user with a '$' in their name.

The problem is only in the program used to make the entry, once made, it works - perfectly. So create a user without the '$' and use The problem is only in the program used to make the entry, once + made, it works perfectly. So create a user without the '$' and + use vipw to edit - the entry, adding the '$'. Or create the whole entry with vipw if you like, - make sure you use a unique uid !

to edit the entry, adding the '$'. Or create + the whole entry with vipw if you like, make sure you use a + unique uid !

I get told "You already have a connection to the Domain...." when creating a - machine account.I get told "You already have a connection to the Domain...." +when creating a machine account.

This happens if you try to create a machine account from the machine itself - and use a user name that does not work (for whatever reason) and then try - another (possibly valid) user name. - Exit out of the network applet to close the initial connection and try again.

This happens if you try to create a machine account from the + machine itself and use a user name that does not work (for whatever + reason) and then try another (possibly valid) user name. + Exit out of the network applet to close the initial connection + and try again. +

Further, if the machine is a already a 'member of a workgroup' that is the - same name as the domain you are joining (bad idea) you will get this message. - Change the workgroup name to something else, it does not matter what, reboot, - and try again.

Further, if the machine is a already a 'member of a workgroup' that + is the same name as the domain you are joining (bad idea) you will + get this message. Change the workgroup name to something else, it + does not matter what, reboot, and try again.

I get told "Cannot join domain, the credentials supplied conflict - with an existing set.."I get told "Cannot join domain, the credentials supplied +conflict with an existing set.."

This is the same basic problem as mentioned above, "You already have a connection..."

This is the same basic problem as mentioned above, "You already have a connection..." +

"The system can not log you on (C000019B)...."

I joined the domain successfully but after upgrading to a newer version of the - Samba code I get the message, "The system can not log you on (C000019B), Please try a - gain or consult your system administrator" when attempting to logon.

I joined the domain successfully but after upgrading + to a newer version of the Samba code I get the message, "The system + can not log you on (C000019B), Please try a gain or consult your + system administrator" when attempting to logon. +

This occurs when the domain SID stored in private/WORKGROUP.SID is changed. - For example, you remove the file and smbd automatically creates a new one. - Or you are swapping back and forth between versions 2.0.7, TNG and the HEAD branch - code (not recommended). The only way to correct the problem is to restore the - original domain SID or remove the domain client from the domain and rejoin.

This occurs when the domain SID stored in private/WORKGROUP.SID is + changed. For example, you remove the file and smbd automatically + creates a new one. Or you are swapping back and forth between + versions 2.0.7, TNG and the HEAD branch code (not recommended). The + only way to correct the problem is to restore the original domain + SID or remove the domain client from the domain and rejoin. +

Chapter 4. User Account Management

Domain Admins

How do I configure an account as a domain administrator?

See the NTDom See the NTDom HowTo.

. +

Profiles

Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?Why is it bad to set "logon path = \\%N\%U\profile" in +smb.conf?

Sometimes Windows clients will maintain a connection to the \\homes\ ( or [%U] ) share - even after the user has logged out. Consider the following scenario.

Sometimes Windows clients will maintain a connection to + the \\homes\ ( or [%U] ) share even after the user has logged out. + Consider the following scenario. +

  • user1 logs into the Windows NT machine. Therefore the - [homes] share is set to \\server\user1.

    user1 logs into the Windows NT machine. + Therefore the [homes] share is set to \\server\user1. +

  • user1 works for a while and then logs out.

    user1 works for a while and then logs + out.

  • user2 logs into the same Windows NT machine.

    user2 logs into the same Windows NT + machine.

However, since the NT box has maintained a connection to [homes] which was - previously set to \\server\user1, when the operating system attempts to - get the profile and if it can read users1's profile, will get it otherwise it - will return an error. You get the picture.

A better solution is to use a separate [profiles] share and set the - "logon path = \\%N\profiles\%U"

However, since the NT box has maintained a connection to [homes] + which was previously set to \\server\user1, when the operating system + attempts to get the profile and if it can read users1's profile, will + get it otherwise it will return an error. You get the picture. +

Note: Is this still a problem ????

A better solution is to use a separate [profiles] share and + set the "logon path = \\%N\profiles\%U" +

Why are all the users listed in the "domain admin users" using the same profile?Why are all the users listed in the "domain admin users" using the +same profile?

You are using a very very old development version of Samba. Upgrade.

You are using a very very old development version of Samba. + Upgrade. +

The roaming profiles do not seem to be updating on the server.The roaming profiles do not seem to be updating on the +server.

There can be several reasons for this.

There can be several reasons for this. +

Make sure that the time on the client and the PDC are synchronized. You can accomplish - this by executing a Make sure that the time on the client and the PDC are synchronized. You + can accomplish this by executing a net time \\server /set /yes replacing server with the - name of your PDC (or another synchronized SMB server). See about Setting Time

+ replacing server with the name of your PDC (or another synchronized SMB server). + See about Setting Time +

Make sure that the - logon path is writeable by the user and make sure that the connection to the logon - path location is by the current user. Sometimes Windows client do not drop the - connection immediately upon logoff.

Make sure that the "logon path" is writeable by the user and make sure + that the connection to the logon path location is by the current user. + Sometimes Windows client do not drop the connection immediately upon + logoff. +

Some people have reported that the logon path location should also be browseable. - I (GC) have yet to emperically verify this, but you can try.

Some people have reported that the logon path location should + also be browseable. I (GC) have yet to emperically verify this, + but you can try.

Policies

What are 'Policies' ?.

When a user logs onto the domain via a client machine, the PDC sends - the client machine a list of things contained in the 'policy' (if it exists). - This list may do things like suppress a splach screen, format the dates the way you - like them or perhaps remove locally stored profiles.

When a user logs onto the domain via a client machine, the PDC + sends the client machine a list of things contained in the + 'policy' (if it exists). This list may do things like suppress + a splach screen, format the dates the way you like them or perhaps + remove locally stored profiles. +

On a samba PDC this list is obtained from a file called ntconfig.pol - and located in the [netlogon]share. The file is created with a policy editor - and must be readable by anyone and writeable by only root. See On a samba PDC this list is obtained from a file called + ntconfig.pol and located in the [netlogon] + share. The file is created with a policy editor and must be readable + by anyone and writeable by only root. See below for how to get a suitable editor.

for how to get a suitable editor. +

I can't get system policies to work.

There are two possible reasons for system policies not functioning correctly. - Make sure that you have the following parameters set in smb.conf

There are two possible reasons for system policies not + functioning correctly. Make sure that you have the following + parameters set in smb.conf + 

	[netlogon]
@@ -1235,66 +1099,71 @@ CLASS="PROGRAMLISTING"
 	browseable = yes
 	....

A policy file must be in the [netlogon] share and must be - readable by everyone and writeable by only root. The file must be created - by an NTServer Policy Editor.

A policy file must be in the [netlogon] share and must be + readable by everyone and writeable by only root. The file + must be created by an NTServer Policy + Editor. +

Last time I (drb) looked in the source, it was - looking for Last time I (drb) looked in the source, it was looking for + ntconfig.pol first then several other combinations of upper - and lower case. People have reported success using first then several other + combinations of upper and lower case. People have reported + success using NTconfig.pol, - , NTconfig.POL and + and ntconfig.pol. These are the case - settings that I (GC) use with the - filename . These are the case settings that + I (GC) use with the filename ntconfig.pol

: + 

        case sensitive = no
         case preserve = yes
+		short preserve case = no
         default case = yes
-

What about Windows NT Policy Editor ?

To create or edit ntconfig.pol you must use the NT Server - Policy Editor, To create or edit ntconfig.pol you must use + the NT Server Policy Editor, poledit.exe which is included with NT Server - but which + is included with NT Server but not NT Workstation. There is a Policy Editor on a NTws +>. + There is a Policy Editor on a NTws but it is not suitable for creating Domain Policiesc:\winnt\inf which is where the binary will look for them unless told otherwise. Note also that that - directory is 'hidden'.

The Windows NT policy editor is also included with the Service Pack 3 (and later) for Windows NT 4.0. Extract the files using @@ -1324,13 +1194,13 @@ CLASS="COMMAND" >servicepackname /x, ie thats Nt4sp6ai.exe /x - for service pack 6a. - The policy editor, Nt4sp6ai.exe + /x for service pack 6a. The policy editor, poledt.exe and the associated template files (*.adm) should +> and the + associated template files (*.adm) should be extracted as well. It is also possible to downloaded the policy template files for Office97 and get a copy of the policy editor. Another possible location is with the Zero Administration Kit available for download from Microsoft. @@ -1341,24 +1211,28 @@ CLASS="SECT2" >

Can Win95 do Policies ?

Install the group policy handler for Win9x to pick up group policies. - Look on the Win98 CD in Install the group policy handler for Win9x to pick up group + policies. Look on the Win98 CD in \tools\reskit\netadmin\poledit. Install group policies on a Win9x client by double-clicking +>\tools\reskit\netadmin\poledit. + Install group policies on a Win9x client by double-clicking grouppol.inf. Log off and on again a couple of times and see if - Win98 picks up group policies. - Unfortunately this needs to be done on every Win9x machine that uses group policies....

. Log off and on again a couple of + times and see if Win98 picks up group policies. Unfortunately this needs + to be done on every Win9x machine that uses group policies.... +

If group policies don't work one reports suggests getting the updated (read: working) - grouppol.dll for Windows 9x. The group list is grabbed from /etc/group.

If group policies don't work one reports suggests getting the updated + (read: working) grouppol.dll for Windows 9x. The group list is grabbed + from /etc/group. +

Passwords

What is password sync and should I use it ?

NTws users can change their domain password by pressing Ctrl-Alt-Del and - choosing 'Change Password'. By default however, this does not change the unix password +> NTws users can change their domain password by pressing Ctrl-Alt-Del + and choosing 'Change Password'. By default however, this does not change the unix password (typically in /etc/passwd or /etc/shadow). In lots of situations - thats OK, for example :

/etc/passwd or /etc/shadow). + In lots of situations thats OK, for example : +

  • The server is only accessible to the user via samba.

    The server is only accessible to the user via + samba.

But sometimes you really do need to maintain two seperate password databases and - there are good reasons to keep then in sync. Trying to explain to users - that they need to change their passwords in two seperate places or use - two seperate passwords is not fun.

But sometimes you really do need to maintain two seperate password + databases and there are good reasons to keep then in sync. Trying + to explain to users that they need to change their passwords in two + seperate places or use two seperate passwords is not fun. +

However do understand that setting up password sync is not without problems either. - The chief difficulty is the interface between Samba and the However do understand that setting up password sync is not without + problems either. The chief difficulty is the interface between Samba + and the passwd command, - it can be a fiddle to set up and if the password the user has entered fails, - the resulting errors are ambiguously reported - and the user is confused. Further, you need to take steps to ensure that users - only ever change their passwords via samba (or use command, it can be a fiddle to set + up and if the password the user has entered fails, the resulting errors + are ambiguously reported and the user is confused. Further, you need + to take steps to ensure that users only ever change their passwords + via samba (or use smbpasswd), - otherwise they will only be changing the unix password.

), otherwise they will + only be changing the unix password.

How do I get remote password (unix and SMB) changing working ?

Have a practice changing a user's password (as root) to see what - discussion takes place and change the text in the 'passwd chat' line below as necessary. The - line as shown works for recent RH Linux but most other systems seem to like to do something - different. The '*' is a wild card and will match anything (or nothing). +> Have a practice changing a user's password (as root) to see + what discussion takes place and change the text in the 'passwd chat' + line below as necessary. The line as shown works for recent RH Linux + but most other systems seem to like to do something different. The '*' is + a wild card and will match anything (or nothing). +

Add these lines to smb.conf under [Global]

Add these lines to smb.conf under [Global]

 
@@ -1442,10 +1326,13 @@ CLASS="PROGRAMLISTING"
    		passwd program = /usr/bin/passwd %u
    		passwd chat = *password* %n\n *password* %n\n *successful*

As mentioned above, the change to the unix password - happens as root, not as the user, as is indicated in ~/smbd/chgpasswd.c If - you are using NIS, the Samba server must be running on the NIS master machine.

As mentioned above, the change to the unix password happens as root, + not as the user, as is indicated in ~/smbd/chgpasswd.c If + you are using NIS, the Samba server must be running on the NIS + master machine. +

Chapter 5. Miscellaneous

What editor can I use in DOS/Windows that won't mess with my unix EOFWhat editor can I use in DOS/Windows that won't +mess with my unix EOF

There are a number of Windows or DOS based editors that will understand, and - leave intact, the unix eof (as opposed to a DOS CL/LF). List members suggested :

There are a number of Windows or DOS based editors that will + understand, and leave intact, the unix eof (as opposed to a DOS CL/LF). + List members suggested : +

How do I get 'User Manager' and 'Server Manager'

Since I don't need to buy an NT Server CD now, how do I get the 'User Manager for - Domains', the 'Server Manager' ?

Since I don't need to buy an NT Server CD now, how do I get + the 'User Manager for Domains', the 'Server Manager' ? +

Microsoft distributes a version of + these tools called nexus for installation on Windows 95 systems. The + tools set includes +

Microsoft distributes a version of these tools called nexus - for installation on Windows 95 systems. The tools set includes

Click here to download the archived file - Click here to download the archived file ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE

ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE +

The Windows NT 4.0 version of the 'User Manager for Domains' - and 'Server Manager' are available from Microsoft via ftp from - The Windows NT 4.0 version of the 'User Manager for + Domains' and 'Server Manager' are available from Microsoft via ftp + from ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE

ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE +

The time setting from a Samba server does not work.

"trust account xxx should be in DOMAIN_GROUP_RID_USERS"

How do I get my samba server to become a member ( not PDC ) of an NT domain?

In a domain that has a number of servers you only need one password database. - The machines that don't have their own ask the PDC to check for them. - This will work fine for a domain controlled by either a Samba or NT machine. - The following lines in smb.conf are typical, 'password server' points to the - samba machine (or an NT) that has the password list : 

 
-
-		[global]
-		...
-		security = domain
-		workgroup = { Put your domain name here }
-		password server = { Put the ip of the PDC here }
-		encrypt passwords = yes
-		...	
-

The samba server in question will have to 'join the domain', that requires - the domain controller to have a machine account for it. This is no different - to the machine account requirements to allow a NTws to join the domain. For - example, if we want a unix box called sleepy to ask the PDC called grumpy - to do its authentication then grumpy will need an entry in its smbpasswd - (assuming it's also samba) that starts with sleepy$. It would have to be - created manually.

If the domain is controlled by an NTServer then the "Server Manager for Domains" - tool must be used to add 'sleepy' to the domain list.

In either case we then join the domain. If the domain is called forest - then on sleepy we would join the domain by typing :

smbpasswd -j forest

Note that the directory where the smbpasswd file would be - located should exist as this is where smbd will generate the MACHINE.SID file. This - might be /usr/local/samba/private/FOREST.SLEEPY.SID and - it contains the trust account password for the domain member. The permissions are - (and should remain) "rw-------

Note the Samba Servers without the password list will most likely still need an account - for each user, this means a line in its /etc/passwd. Because authentication - is being handled at the domain level the - /etc/passwd line does not need a password. - If the shares being offered are not user specific, ie a common (read only ?) - area or perhaps just printing then the user's - /etc/passwd does not need a home directory. A typical - line in /etc/passwd for a server that allows domain users to - connect to the samba shares but does not offer a home share ('cos that's on the PDC) - and does not allow logon to the unix prompt would be like this :

jblow:x:542:100:Joe Blow:/dev/null:/bin/false

  • When removing those 'dummy' users, watch the 'remove user' scripts, - some OS think they should remove a users directory even when its not owned by the user ! +> Please refer to the Domain Member + HOWTO for more information on this.

  • The username map = parameter might help you to avoid having - all those accounts created.

  • You should investigate the smb.conf parameter - 'add user script', it will be used to create accounts on - secondary servers when that account already exists on the PDC. Very nice. - Something like :

        [Global]
-    ....
-    add user script = /usr/sbin/adduser -n -g users -c User -d /dev/null -s /bin/false %U	
-    ....
-

Chapter 6. Troubleshooting and Bug Reporting

Diagnostic tools

What are some diagnostics tools I can use to debug the domain logon process and where can I find them?

One of the best diagnostic tools for debugging problems is Samba itself. You can use the -d - option for both smbd and nmbd to specifiy what 'debug level' at which to run. See the man - pages on smbd, nmbd and smb.conf for more information on debugging options. The debug - level can range from 1 (the default) to around 100 but a debug level of about 20 will - normally help you find any errors that samba is encountering. Another helpful method - of debugging is to compile samba using the gcc -g flag. This will include debug - information in the binaries and allow you to attch gdb to the running smbd / nmbd - process. In order to attach gdb to an smbd process for an NT workstation, first - get the workstation to make the connection. Pressing ctrl-alt-delete and going down - to the domain box is sufficient (at least, on the first time you join the domain) to - generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation maintains an open - connection, and therefore there will be an smbd process running (assuming that you - haven't set a really short smbd idle timeout) So, in between pressing ctrl alt - delete, and actually typing in your password, you can gdb attach and continue.

One of the best diagnostic tools for debugging problems is Samba itself. + You can use the -d option for both smbd and nmbd to specifiy what + 'debug level' at which to run. See the man pages on smbd, nmbd and + smb.conf for more information on debugging options. The debug + level can range from 1 (the default) to 10 (100 for debugging passwords). +

Another helpful method of debugging is to compile samba using the + gcc -g flag. This will include debug + information in the binaries and allow you to attch gdb to the + running smbd / nmbd process. In order to attach gdb to an smbd + process for an NT workstation, first get the workstation to make the + connection. Pressing ctrl-alt-delete and going down to the domain box + is sufficient (at least, on the first time you join the domain) to + generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation + maintains an open connection, and therefore there will be an smbd + process running (assuming that you haven't set a really short smbd + idle timeout) So, in between pressing ctrl alt delete, and actually + typing in your password, you can gdb attach and continue. +

Some usefull samba commands worth investigating: +

Some usefull samba commands worth investigating:

An SMB enabled version of tcpdump is available from +> An SMB enabled version of tcpdump is available from ftp://samba.org/pub/samba/tcpdump-smb/ -

Capconvert is a small C program for translating output from tcpdump-smb to CAP format - that can be read by netmon. You will need to use the raw output from tcp dump - ( ie. tcpdump -w output.dump ). Good news! Now you can convert - Solaris' snoop output as well. The C source code for snoop2cap is available for download. -

http://www.tcpdup.org/. + Ethereal, another good packet sniffer for UNIX and Win32 + hosts, can be downloaded from http://www.ethereal.com. +

For tracing things on the Microsoft Windows NT, Network Monitor (aka. netmon) is available - on the Microsoft Developer Network CD's, the Windows NT Server install CD and the SMS CD's. - The version of netmon that ships with SMS allows for dumping packets between any two - computers (ie. placing the network interface in promiscuous mode). The version - on the NT Server install CD will only allow monitoring of network traffic directed to the - local NT box and broadcasts on the local subnet.

For tracing things on the Microsoft Windows NT, Network Monitor + (aka. netmon) is available on the Microsoft Developer Network CD's, + the Windows NT Server install CD and the SMS CD's. The version of + netmon that ships with SMS allows for dumping packets between any two + computers (ie. placing the network interface in promiscuous mode). + The version on the NT Server install CD will only allow monitoring + of network traffic directed to the local NT box and broadcasts on the + local subnet. Be aware that Ethereal can read and write netmon + formatted files. +

How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?How do I install 'Network Monitor' on an NT Workstation +or a Windows 9x box?

Installing netmon on an NT workstation requires a couple of steps. The following - are for installing Netmon V4.00.349, which comes with Microsoft Windows NT Server - 4.0, on Microsoft Windows NT Workstation 4.0. The process should be similar - for other version of Windows NT / Netmon. You will need both the Microsoft Windows - NT Server 4.0 Install CD and the Workstation 4.0 Install CD.

Installing netmon on an NT workstation requires a couple + of steps. The following are for installing Netmon V4.00.349, which comes + with Microsoft Windows NT Server 4.0, on Microsoft Windows NT + Workstation 4.0. The process should be similar for other version of + Windows NT / Netmon. You will need both the Microsoft Windows + NT Server 4.0 Install CD and the Workstation 4.0 Install CD. +

Initially you will need to install 'Network Monitor Tools and Agent' on the - NT Server. To do this

Initially you will need to install 'Network Monitor Tools and Agent' + on the NT Server. To do this +

  • Goto Start - Settings - Control Panel - Network - Services - Add

    Goto Start - Settings - Control Panel - + Network - Services - Add

  • Select the 'Network Monitor Tools and Agent' and click on 'OK'.

    Select the 'Network Monitor Tools and Agent' and + click on 'OK'.

  • Click 'OK' on the Network Control Panel.

    Click 'OK' on the Network Control Panel. +

  • Insert the Windows NT Server 4.0 install CD when prompted.

    Insert the Windows NT Server 4.0 install CD + when prompted.

At this point the Netmon files should exist in At this point the Netmon files should exist in + %SYSTEMROOT%\System32\netmon\*.*. Two subdirectories exist as well, parsers\ which contains the necessary DLL's - for parsing the netmon packet dump, and + which contains the necessary DLL's for parsing the netmon packet + dump, and captures\.

. +

In order to install the Netmon tools on an NT Workstation, you will first need to - install the 'Network Monitor Agent' from the Workstation install CD.

In order to install the Netmon tools on an NT Workstation, you will + first need to install the 'Network Monitor Agent' from the Workstation + install CD. +

  • Goto Start - Settings - Control Panel - Network - Services - Add

    Goto Start - Settings - Control Panel - + Network - Services - Add

  • Select the 'Network Monitor Agent' and click on 'OK'.

    Select the 'Network Monitor Agent' and click + on 'OK'.

  • Click 'OK' on the Network Control Panel.

    Click 'OK' on the Network Control Panel. +

  • Insert the Windows NT Workstation 4.0 install CD when prompted.

    Insert the Windows NT Workstation 4.0 install + CD when prompted.

Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* to - %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set permissions as - you deem appropriate for your site. You will need administrative rights on the - NT box to run netmon.

Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* + to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set + permissions as you deem appropriate for your site. You will need + administrative rights on the NT box to run netmon. +

To install Netmon on a Windows 9x box install the network monitor agent from - the Windows 9x CD (\admin\nettools\netmon). - There is a readme file located with the netmon driver files on the CD if you need - information on how to do this. Copy the files from a working Netmon installation.

To install Netmon on a Windows 9x box install the network monitor agent + from the Windows 9x CD (\admin\nettools\netmon). There is a readme + file located with the netmon driver files on the CD if you need + information on how to do this. Copy the files from a working + Netmon installation. +

What other help can I get ?

There are many sources of information available in the form of mailing lists, RFC's - and documentation. The docs that come with the samba distribution contain very - good explanations of general SMB topics such as browsing.

There are many sources of information available in the form + of mailing lists, RFC's and documentation. The docs that come + with the samba distribution contain very good explanations of + general SMB topics such as browsing.

URLs and similar

There are a number of documents that no longer appear to live at their - origional home. Any one know where the following may be found ?

  • CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt

  • CIFS Remote Administration Protocol draft-leach-cifs-rap-spec-00.txt

  • CIFS Logon and Pass Through Authentication draft-leach-cifs-logon-spec-00.txt

  • A Common Internet File System (CIFS/1.0) Protocol draft-leach-cifs-v1-spec-01.txt

  • CIFS Printing Specification draft-leach-cifs-print-spec-00.txt

  • RFC1001 (March '87) Protocol standard for a NetBIOS service on a TCP/UDP transport: Concepts and methods. - http://ds.internic.net/rfc/rfc1001.txt

  • RFC1002 (March '87) Protocol standard for a NetBIOS service on a TCP/UDP transport: Detailed specifications. - http://ds.internic.net/rfc/rfc1002.txt

  • Microsoft's main CIFS page: http://www.microsoft.com/workshop/networking/cifs/

You should also refer to the MS archives at + ftp://ftp.microsoft.com/developr/drg/CIFS/" +

How do I get help from the mailing lists ?

How do I get off the mailing lists ?

To have your name removed from a samba mailing list, go to the same place you went to to get on it. Go to http://samba.org, click on your nearest mirror - and then click on http://lists.samba.org, click + on your nearest mirror and then click on Support and then click on and + then click on Samba related mailing lists Samba related mailing lists. Or perhaps see here

Please don't post messages to the list asking to be removed, you will just +> Please don't post messages to the list asking to be removed, you will just be refered to the above address (unless that process failed in some way...)