This is the FAQ for Samba 2.2 as an NTDomain controller. This document is derived from the origional FAQ that was built and maintained by Gerald Carter from the early days of Samba NTDomain development up until recently. It is now being updated as significent changes are made to 2.2.0.
Please note it does not apply to the SAMBA_TNG nor the HEAD branch.
Also available is a Samba 2.2 PDC HOWTO that takes you, step by step, over the process of setting up a very basic Samba 2.2 Primary Domain Controller
Much of the related code does work. For example, if an NT is removed from the domain and then rejoins, the Create a Computer Account in the Domain dialog will let you reset the smbpasswd. That is you don't need to do it from the unix box. However, at the present, you do need to have root as an administrator and use the root user name and password.
Policies do work on a W2K machine. MS says that recent builds of W2K dont observe an NT policy but it appears it does in 'legacy' mode.
This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing with the 'old HEAD' version of Samba and its NTDomain facilities. It is being rewritten by David Bannon (drb) so that it addresses more accurately the Samba 2.2.x release.
This document probably still contains some material that does not apply to Samba 2.2 but most (all?) of the really misleading stuff has been removed. Some issues are not dealt with or are dealt with badly. Please send corrections and additions to David Bannon.
Hopefully, as we all become familiar with the Samba 2.2 as a PDC this document will become much more usefull.
If you wish to have Samba act as a PDC for Windows NT 4.0/2000 client, then you will need to obtain the 2.2.0 version. Release of a stable, full featured Samba PDC is currently slated for version 3.0.
The following is a list of included features currently in Samba 2.2:
The ability to act as a limited PDC for Windows NT and W2000 clients. This includes adding NT and W2K machines to the domain and authenticating users logging into the domain.
Domain account can be viewed using the User Manager for Domains
Viewing/adding/deleting resources on the Samba PDC via the Server Manager for Domains from the NT client.
Windows 95/98/ME clients will allow user level security to be set and browsing of domain accounts.
Machine account password updates.
Changing of user passwords from an NT client.
Partial support for Windows NT username mapping. Group name mapping is slated for a later release.
These things are note expected to work in the forseeable future:
Trust relationships
PDC and BDC integration
The 2.2 release branch of Samba supports Windows 2000 domain clients in legacy mode, ie as if the PDC is a NTServer, not a W2K server.
CVS is a programme (publically available) that the Samba developers use to maintain the central source code. Non developers can get access to the source in a read only capacity. Many flavours of unix now arrive with cvs installed.
You can find out more about obtaining Samba's via anonymous CVS from http://pserver.samba.org/samba/cvs.html.
There are basically four branches to watch at the moment :
Samba 3.0 ? This code boasts all the main development work in Samba. Due to its developmental nature, its not really suitable for production work.
This branch contains the previous stable release. At the moment it contains 2.0.8, a version that will do some limited PDC stuff. If you are really going to do PDC things, you consider 2.2 instead.
The 2.2.x release branch which is a subset of the features of the HEAD branch. This document addresses only SAMBA_2_2.
This branch is no longer maintained from the Samba sites. Please see http://www.samba-tng.org/. It has been requested that questions about TNG are not posted to the regular Samba mailing lists including samba-ntdom and samba-technical.
See http://pserver.samba.org/samba/cvs.html for instructions on obtaining the SAMBA_2_2 or HEAD cvs code.
There is a comprehensive Samba PDC HOWTO accessable from the samba web site under 'Documentation'. Read it.
Every NT, W2K or Samba machine that joins a Samba controlled domain must be known to the Samba PDC. There are two entries required, one in (typically) /etc/passwd and the other in (typically) /usr/local/samba/private/smbpasswd. Under some circumstances these entries are made manually, the HOWTO discusses ways of creating them automatically.
When I try to join the domain I get the message "The machine account for this computer either does not exist or is not accessable". Whats wrong ?
This problem is caused by the PDC not having a suitable machine account. If you are using the add user script = method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working.
Alternatively if you are creating account entries manually then they have not been created correctly. Make sure that you have the entry correct for the machine account in smbpasswd file on the Samba PDC. If you added the account using an editor rather than using the smbpasswd utility, make sure that the account name is the machine netbios name with a '$' appended to it ( ie. computer_name$ ). There must be an entry in both /etc/passwd and the smbpasswd file. Some people have reported that inconsistent subnet masks between the Samba server and the NT client have caused this problem. Make sure that these are consistent for both client and server.
This was the only option until recently, now in version 2.2 better means are available. You might still need to do it manually for a couple of reasons. A machine account consists of two entries (assuming a standard install and /etc/passwd use), one in /etc/passwd and the other in /usr/local/samba/private/smbpasswd. The /etc/passwd entry will list the machine name with a $ appended, won't have a passwd, will have a null shell and no home directory. For example a machine called 'doppy' would have an /etc/passwd entry like this :
doppy$:x:505:501:NTMachine:/dev/null:/bin/false
On a linux system for example, you would typically add it like this :
adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n doppy$
Then you need to add that entry to smbpasswd, assuming you have a suitable path to the smbpasswd programme, do this :
smbpasswd -a -m doppy$
The entry will be created with a well known password, so any machine that says its doppy could join the domain as long as it gets in first. So don't create the accounts any earlier than you need them.
A 'machine name' in (typically) /etc/passwd consists of the machine name with a '$' appended. FreeBSD (and other BSD systems ?) won't create a user with a '$' in their name.
The problem is only in the program used to make the entry, once made, it works perfectly. So create a user without the '$' and use vipw to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a unique uid !
This happens if you try to create a machine account from the machine itself and use a user name that does not work (for whatever reason) and then try another (possibly valid) user name. Exit out of the network applet to close the initial connection and try again.
Further, if the machine is a already a 'member of a workgroup' that is the same name as the domain you are joining (bad idea) you will get this message. Change the workgroup name to something else, it does not matter what, reboot, and try again.
This is the same basic problem as mentioned above, "You already have a connection..."
I joined the domain successfully but after upgrading to a newer version of the Samba code I get the message, "The system can not log you on (C000019B), Please try a gain or consult your system administrator" when attempting to logon.
This occurs when the domain SID stored in private/WORKGROUP.SID is changed. For example, you remove the file and smbd automatically creates a new one. Or you are swapping back and forth between versions 2.0.7, TNG and the HEAD branch code (not recommended). The only way to correct the problem is to restore the original domain SID or remove the domain client from the domain and rejoin.
Sometimes Windows clients will maintain a connection to the \\homes\ ( or [%U] ) share even after the user has logged out. Consider the following scenario.
user1 logs into the Windows NT machine. Therefore the [homes] share is set to \\server\user1.
user1 works for a while and then logs out.
user2 logs into the same Windows NT machine.
However, since the NT box has maintained a connection to [homes] which was previously set to \\server\user1, when the operating system attempts to get the profile and if it can read users1's profile, will get it otherwise it will return an error. You get the picture.
A better solution is to use a separate [profiles] share and set the "logon path = \\%N\profiles\%U"
You are using a very very old development version of Samba. Upgrade.
There can be several reasons for this.
Make sure that the time on the client and the PDC are synchronized. You can accomplish this by executing a net time \\server /set /yes replacing server with the name of your PDC (or another synchronized SMB server). See about Setting Time
Make sure that the "logon path" is writeable by the user and make sure that the connection to the logon path location is by the current user. Sometimes Windows client do not drop the connection immediately upon logoff.
Some people have reported that the logon path location should also be browseable. I (GC) have yet to emperically verify this, but you can try.
When a user logs onto the domain via a client machine, the PDC sends the client machine a list of things contained in the 'policy' (if it exists). This list may do things like suppress a splach screen, format the dates the way you like them or perhaps remove locally stored profiles.
On a samba PDC this list is obtained from a file called ntconfig.pol and located in the [netlogon] share. The file is created with a policy editor and must be readable by anyone and writeable by only root. See below for how to get a suitable editor.
There are two possible reasons for system policies not functioning correctly. Make sure that you have the following parameters set in smb.conf
[netlogon] .... locking = no public = no browseable = yes ....
A policy file must be in the [netlogon] share and must be readable by everyone and writeable by only root. The file must be created by an NTServer Policy Editor.
Last time I (drb) looked in the source, it was looking for ntconfig.pol first then several other combinations of upper and lower case. People have reported success using NTconfig.pol, NTconfig.POL and ntconfig.pol. These are the case settings that I (GC) use with the filename ntconfig.pol:
case sensitive = no case preserve = yes short preserve case = no default case = yes
To create or edit ntconfig.pol you must use the NT Server Policy Editor, poledit.exe which is included with NT Server but not NT Workstation. There is a Policy Editor on a NTws but it is not suitable for creating Domain Policies. Further, although the Windows 95 Policy Editor can be installed on an NT Workstation/Server, it will not work with NT policies because the registry key that are set by the policy templates. However, the files from the NT Server will run happily enough on an NTws. You need poledit.exe, common.adm and winnt.adm. It is convenient to put the two *.adm files in c:\winnt\inf which is where the binary will look for them unless told otherwise. Note also that that directory is 'hidden'.
The Windows NT policy editor is also included with the Service Pack 3 (and later) for Windows NT 4.0. Extract the files using servicepackname /x, ie thats Nt4sp6ai.exe /x for service pack 6a. The policy editor, poledt.exe and the associated template files (*.adm) should be extracted as well. It is also possible to downloaded the policy template files for Office97 and get a copy of the policy editor. Another possible location is with the Zero Administration Kit available for download from Microsoft.
Install the group policy handler for Win9x to pick up group policies. Look on the Win98 CD in \tools\reskit\netadmin\poledit. Install group policies on a Win9x client by double-clicking grouppol.inf. Log off and on again a couple of times and see if Win98 picks up group policies. Unfortunately this needs to be done on every Win9x machine that uses group policies....
If group policies don't work one reports suggests getting the updated (read: working) grouppol.dll for Windows 9x. The group list is grabbed from /etc/group.
NTws users can change their domain password by pressing Ctrl-Alt-Del and choosing 'Change Password'. By default however, this does not change the unix password (typically in /etc/passwd or /etc/shadow). In lots of situations thats OK, for example :
The server is only accessible to the user via samba.
Pam_smb or similar is installed so other applications still refer to the samba password.
But sometimes you really do need to maintain two seperate password databases and there are good reasons to keep then in sync. Trying to explain to users that they need to change their passwords in two seperate places or use two seperate passwords is not fun.
However do understand that setting up password sync is not without problems either. The chief difficulty is the interface between Samba and the passwd command, it can be a fiddle to set up and if the password the user has entered fails, the resulting errors are ambiguously reported and the user is confused. Further, you need to take steps to ensure that users only ever change their passwords via samba (or use smbpasswd), otherwise they will only be changing the unix password.
Have a practice changing a user's password (as root) to see what discussion takes place and change the text in the 'passwd chat' line below as necessary. The line as shown works for recent RH Linux but most other systems seem to like to do something different. The '*' is a wild card and will match anything (or nothing).
Add these lines to smb.conf under [Global]
unix password sync = true passwd program = /usr/bin/passwd %u passwd chat = *password* %n\n *password* %n\n *successful*
As mentioned above, the change to the unix password happens as root, not as the user, as is indicated in ~/smbd/chgpasswd.c If you are using NIS, the Samba server must be running on the NIS master machine.
There are a number of Windows or DOS based editors that will understand, and leave intact, the unix eof (as opposed to a DOS CL/LF). List members suggested :
UltraEdit at www.ultraedit.com
VI for windows at home.snafu.de/ramo/WinViEn.htm
The author prefers PFE at www.lancs.ac.uk/people/cpaap/pfe/ but its no longer being developed...
Since I don't need to buy an NT Server CD now, how do I get the 'User Manager for Domains', the 'Server Manager' ?
Microsoft distributes a version of these tools called nexus for installation on Windows 95 systems. The tools set includes
Server Manager
User Manager for Domains
Event Viewer
Click here to download the archived file ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE
The Windows NT 4.0 version of the 'User Manager for Domains' and 'Server Manager' are available from Microsoft via ftp from ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE
If it works OK when you log on as Domain Admin then the problem is that ordinary users don't have permission to change the time. (The system is running with their permission at logon time.) This is not a Samba problem, you will have the same problem where ever you connect. You can give 'everyone' permission to change the time from the User Manager.
Anyone know what the registry settings are so this could be done with a Policy ?
I keep getting the message "trust account xxx should be in DOMAIN_GROUP_RID_USERS." in the logs. What do I need to do?
You are using one of the old development versions. Upgrade. (The message is unimportant, was a reminder to a developer)
Please refer to the Domain Member HOWTO for more information on this.
One of the best diagnostic tools for debugging problems is Samba itself. You can use the -d option for both smbd and nmbd to specifiy what 'debug level' at which to run. See the man pages on smbd, nmbd and smb.conf for more information on debugging options. The debug level can range from 1 (the default) to 10 (100 for debugging passwords).
Another helpful method of debugging is to compile samba using the gcc -g flag. This will include debug information in the binaries and allow you to attch gdb to the running smbd / nmbd process. In order to attach gdb to an smbd process for an NT workstation, first get the workstation to make the connection. Pressing ctrl-alt-delete and going down to the domain box is sufficient (at least, on the first time you join the domain) to generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation maintains an open connection, and therefore there will be an smbd process running (assuming that you haven't set a really short smbd idle timeout) So, in between pressing ctrl alt delete, and actually typing in your password, you can gdb attach and continue.
Some usefull samba commands worth investigating:
testparam | more
smbclient -L //{netbios name of server}
An SMB enabled version of tcpdump is available from http://www.tcpdup.org/. Ethereal, another good packet sniffer for UNIX and Win32 hosts, can be downloaded from http://www.ethereal.com.
For tracing things on the Microsoft Windows NT, Network Monitor (aka. netmon) is available on the Microsoft Developer Network CD's, the Windows NT Server install CD and the SMS CD's. The version of netmon that ships with SMS allows for dumping packets between any two computers (ie. placing the network interface in promiscuous mode). The version on the NT Server install CD will only allow monitoring of network traffic directed to the local NT box and broadcasts on the local subnet. Be aware that Ethereal can read and write netmon formatted files.
Installing netmon on an NT workstation requires a couple of steps. The following are for installing Netmon V4.00.349, which comes with Microsoft Windows NT Server 4.0, on Microsoft Windows NT Workstation 4.0. The process should be similar for other version of Windows NT / Netmon. You will need both the Microsoft Windows NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
Initially you will need to install 'Network Monitor Tools and Agent' on the NT Server. To do this
Goto Start - Settings - Control Panel - Network - Services - Add
Select the 'Network Monitor Tools and Agent' and click on 'OK'.
Click 'OK' on the Network Control Panel.
Insert the Windows NT Server 4.0 install CD when prompted.
At this point the Netmon files should exist in %SYSTEMROOT%\System32\netmon\*.*. Two subdirectories exist as well, parsers\ which contains the necessary DLL's for parsing the netmon packet dump, and captures\.
In order to install the Netmon tools on an NT Workstation, you will first need to install the 'Network Monitor Agent' from the Workstation install CD.
Goto Start - Settings - Control Panel - Network - Services - Add
Select the 'Network Monitor Agent' and click on 'OK'.
Click 'OK' on the Network Control Panel.
Insert the Windows NT Workstation 4.0 install CD when prompted.
Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set permissions as you deem appropriate for your site. You will need administrative rights on the NT box to run netmon.
To install Netmon on a Windows 9x box install the network monitor agent from the Windows 9x CD (\admin\nettools\netmon). There is a readme file located with the netmon driver files on the CD if you need information on how to do this. Copy the files from a working Netmon installation.
There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come with the samba distribution contain very good explanations of general SMB topics such as browsing.
Home of Samba site http://samba.org. We have a mirror near you !
The Development document on the Samba mirrors might mention your problem. If so, it might mean that the developers are working on it.
Ignacio Coupeau has a very comprehesive look at LDAP with Samba at http://www.unav.es/cti/ldap-smb-howto.html Be a little carefull however, I suspect that it does not specificly address samba 2.2.x. The HEAD pre-2.1 may possibly be the best stream to look at.
Lars Kneschke's site covers Samba-TNG at http://www.kneschke.de/projekte/samba_tng, but again, a lot of it does not apply to the main stream Samba.
See how Scott Merrill simulates a BDC behaviour at http://www.skippy.net/linux/smb-howto.html.
Although 2.0.7 has almost had its day as a PDC, I (drb) will keep the 2.0.7 PDC pages at http://bioserve.latrobe.edu.au/samba going for a while yet.
Misc links to CIFS information http://samba.org/cifs/
NT Domains for Unix http://mailhost.cb1.com/~lkcl/ntdom/
FTP site for older SMB specs: ftp://ftp.microsoft.com/developr/drg/CIFS/
You should also refer to the MS archives at ftp://ftp.microsoft.com/developr/drg/CIFS/"
There are a number of Samba related mailing lists. Go to http://samba.org, click on your nearest mirror and then click on Support and then click on Samba related mailing lists.
For questions relating to Samba TNG go to http://www.samba-tng.org/ It has been requested that you don't post questions about Samba-TNG to the main stream Samba lists.
If you post a message to one of the lists please observe the following guide lines :
Always remember that the developers are volunteers, they are not paid and they never guarantee to produce a particular feature at a particular time. Any time lines are 'best guess' and nothing more.
Always mention what version of samba you are using and what operating system its running under. You should probably list the relevant sections of your smb.conf file, at least the options in [global] that affect PDC support.
In addition to the version, if you obtained Samba via CVS mention the date when you last checked it out.
Try and make your question clear and brief, lots of long, convoluted questions get deleted before they are completely read ! Don't post html encoded messages (if you can select colour or font size its html).
If you run one of those niffy 'I'm on holidays' things when you are away, make sure its configured to not answer mailing lists.
Don't cross post. Work out which is the best list to post to and see what happens, ie don't post to both samba-ntdom and samba-technical. Many people active on the lists subscribe to more than one list and get annoyed to see the same message two or more times. Often someone will see a message and thinking it would be better dealt with on another, will forward it on for you.
You might include partial log files written at a debug level set to as much as 20. Please don't send the entire log but enough to give the context of the error messages.
(Possibly) If you have a complete netmon trace ( from the opening of the pipe to the error ) you can send the *.CAP file as well.
Please think carefully before attaching a document to an email. Consider pasting the relevant parts into the body of the message. The samba mailing lists go to a huge number of people, do they all need a copy of your smb.conf in their attach directory ?
To have your name removed from a samba mailing list, go to the same place you went to to get on it. Go to http://lists.samba.org, click on your nearest mirror and then click on Support and then click on Samba related mailing lists. Or perhaps see here
Please don't post messages to the list asking to be removed, you will just be refered to the above address (unless that process failed in some way...)