From 20967627378194121bc48bf387838b8bd7682478 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Mar 2003 16:48:14 +0000 Subject: Regenerate (This used to be commit 25db62e3101dbcae8e9daee3cb16430297afa223) --- docs/htmldocs/samba-pdc.html | 266 +++++++++++++++++++------------------------ 1 file changed, 118 insertions(+), 148 deletions(-) (limited to 'docs/htmldocs/samba-pdc.html') diff --git a/docs/htmldocs/samba-pdc.html b/docs/htmldocs/samba-pdc.html index 63a52129d0..7c4caf4f30 100644 --- a/docs/htmldocs/samba-pdc.html +++ b/docs/htmldocs/samba-pdc.html @@ -5,7 +5,7 @@ >Samba as a NT4 or Win2k Primary Domain Controller

5.1. Prerequisite Reading

5.1. Prerequisite Reading

Before you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services @@ -108,9 +108,9 @@ CLASS="SECT1" >

5.2. Background

5.2. Background

5.3. Configuring the Samba Domain Controller

5.3. Configuring the Samba Domain Controller

The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. I will not @@ -288,21 +288,17 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#NETBIOSNAME" TARGET="_top" >netbios name = = POGOPOGO workgroup = = NARNIANARNIA ; we should act as the domain and local master browser @@ -392,11 +388,9 @@ TARGET="_top" HREF="smb.conf.5.html#WRITELIST" TARGET="_top" >write list = = ntadminntadmin ; share for storing user profiles @@ -472,10 +466,10 @@ CLASS="SECT1" >

5.4. Creating Machine Trust Accounts and Joining Clients to the -Domain

A machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba @@ -546,9 +540,9 @@ CLASS="SECT2" >

5.4.1. Manual Creation of Machine Trust Accounts

5.4.1. Manual Creation of Machine Trust Accounts

The first step in manually creating a machine trust account is to manually create the corresponding Unix account in @@ -563,55 +557,45 @@ CLASS="COMMAND" used to create new Unix accounts. The following is an example for a Linux based Samba server:

root# root# /usr/sbin/useradd -g 100 -d /dev/null -c /usr/sbin/useradd -g 100 -d /dev/null -c "machine -nickname" -s /bin/false -s /bin/false machine_namemachine_name$

root# root# passwd -l passwd -l machine_namemachine_name$

On *BSD systems, this can be done using the 'chpass' utility:

root# root# chpass -a "chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name$:*:101:100::0:0:Workstation machine_namemachine_name:/dev/null:/sbin/nologin"

doppy$:x:505:501:doppy$:x:505:501:machine_nicknamemachine_nickname:/dev/null:/bin/false

Above, Above, machine_nicknamemachine_nickname can be any descriptive name for the client, i.e., BasementComputer. -machine_namemachine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize @@ -665,24 +643,20 @@ CLASS="COMMAND" > command as shown here:

root# root# smbpasswd -a -m smbpasswd -a -m machine_namemachine_name

where where machine_namemachine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account.

5.4.2. "On-the-Fly" Creation of Machine Trust Accounts

5.4.2. "On-the-Fly" Creation of Machine Trust Accounts

The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client @@ -764,7 +738,7 @@ be created manually.

[global]
-   # <...remainder of parameters...>
+   # <...remainder of parameters...>
    add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

5.4.3. Joining the Client to the Domain

5.4.3. Joining the Client to the Domain

The procedure for joining a client to the domain varies with the version of Windows.

5.5. Common Problems and Errors

5.5. Common Problems and Errors

C:\WINNT\>C:\WINNT\> net use * /d

This problem is caused by the PDC not having a suitable machine trust account. - If you are using the add user scriptadd user script method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working. @@ -1010,11 +982,9 @@ CLASS="COMMAND"

In order to work around this problem in 2.2.0, configure the - accountaccount control flag in

5.6. System Policies and Profiles

5.6. System Policies and Profiles

Much of the information necessary to implement System Policies and Roving User Profiles in a Samba domain is the same as that for @@ -1228,9 +1198,9 @@ CLASS="SECT1" >

5.7. What other help can I get?

5.7. What other help can I get?

There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come @@ -1648,9 +1618,9 @@ CLASS="SECT1" >

5.8. Domain Control for Windows 9x/ME

5.8. Domain Control for Windows 9x/ME

  • The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1782,9 +1752,9 @@ CLASS="SECT2" >

    5.8.1. Configuration Instructions: Network Logons

    5.8.1. Configuration Instructions: Network Logons

    The main difference between a PDC and a Windows 9x logon server configuration is that

    There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether or not it is ok to configure Samba as a Domain Controller in security -modes other than USERUSER. The only security mode -which will not work due to technical reasons is SHARESHARE -mode security. DOMAIN and DOMAIN and SERVERSERVER mode security is really just a variation on SMB user level security.

    5.8.2. Configuration Instructions: Setting up Roaming User Profiles

    5.8.2. Configuration Instructions: Setting up Roaming User Profiles

    5.8.2.1. Windows NT Configuration

    5.8.2.1. Windows NT Configuration

    To support WinNT clients, in the [global] section of smb.conf set the following (for example):

    5.8.2.2. Windows 9X Configuration

    5.8.2.2. Windows 9X Configuration

    To support Win9X clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use/home" now works as well, and it, too, relies @@ -2023,9 +1993,9 @@ CLASS="SECT3" >

    5.8.2.3. Win9X and WinNT Configuration

    5.8.2.3. Win9X and WinNT Configuration

    You can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example:

    5.8.2.4. Windows 9X Profile Setup

    5.8.2.4. Windows 9X Profile Setup

    When a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". @@ -2228,9 +2198,9 @@ CLASS="SECT3" >

    5.8.2.5. Windows NT Workstation 4.0

    5.8.2.5. Windows NT Workstation 4.0

    When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified @@ -2342,9 +2312,9 @@ CLASS="SECT3" >

    5.8.2.6. Windows NT Server

    5.8.2.6. Windows NT Server

    There is nothing to stop you specifying any path that you like for the location of users' profiles. Therefore, you could specify that the @@ -2356,9 +2326,9 @@ CLASS="SECT3" >

    5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

    5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0

    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

    5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

    The registry files can be located on any Windows NT machine by opening a command prompt and typing:

    C:\WINNT\>C:\WINNT\> dir %SystemRoot%\System32\config

    The environment variable %SystemRoot% value can be obtained by typing:

    C:\WINNT>C:\WINNT>echo %SystemRoot%

    The active parts of the registry that you may want to be familiar with are -- cgit