Chapter 6. How to Configure Samba as a NT4 Primary Domain Controller

6.1. Prerequisite Reading

Before you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services in smb.conf and how to enable and administer password encryption in Samba. Theses two topics are covered in the smb.conf(5) manpage and the Encryption chapter of this HOWTO Collection.

6.2. Background

Note

Author's Note: This document is a combination of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". Both documents are superseded by this one.

Versions of Samba prior to release 2.2 had marginal capabilities to act as a Windows NT 4.0 Primary Domain Controller (PDC). With Samba 2.2.0, we are proud to announce official support for Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows 2000 clients. This article outlines the steps necessary for configuring Samba as a PDC. It is necessary to have a working Samba server prior to implementing the PDC functionality. If you have not followed the steps outlined in UNIX_INSTALL.html, please make sure that your server is configured correctly before proceeding. Another good resource in the smb.conf(5) man page. The following functionality should work in 2.2:

The following pieces of functionality are not included in the 2.2 release:

Please note that Windows 9x clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for support Windows 9x-style domain logons is completely different from NT4 domain logons and has been officially supported for some time.

Implementing a Samba PDC can basically be divided into 2 broad steps.

  1. Configuring the Samba PDC

  2. Creating machine trust accounts and joining clients to the domain

There are other minor details such as user profiles, system policies, etc... However, these are not necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts. They will be mentioned only briefly here.

6.3. Configuring the Samba Domain Controller

The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. I will not attempt to re-explain the parameters here as they are more that adequately covered in the smb.conf man page. For convenience, the parameters have been linked with the actual smb.conf description.

Here is an example smb.conf for acting as a PDC:

[global]
    ; Basic server settings
    netbios name = POGO
    workgroup = NARNIA

    ; we should act as the domain and local master browser
    os level = 64
    preferred master = yes
    domain master = yes
    local master = yes
    
    ; security settings (must user security = user)
    security = user
    
    ; encrypted passwords are a requirement for a PDC
    encrypt passwords = yes
    
    ; support domain logons
    domain logons = yes
    
    ; where to store user profiles?
    logon path = \\%N\profiles\%u
    
    ; where is a user's home directory and where should it
    ; be mounted at?
    logon drive = H:
    logon home = \\homeserver\%u
    
    ; specify a generic logon script for all users
    ; this is a relative **DOS** path to the [netlogon] share
    logon script = logon.cmd

; necessary share for domain controller
[netlogon]
    path = /usr/local/samba/lib/netlogon
    read only = yes
    write list = ntadmin
    
; share for storing user profiles
[profiles]
    path = /export/smb/ntprofile
    read only = no
    create mask = 0600
    directory mask = 0700

There are a couple of points to emphasize in the above configuration.

As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and Unix groups (this is really quite complicated to explain in a short space), you should refer to the domain admin group smb.conf parameter for information of creating "Domain Admins" style accounts.

6.4. Creating Machine Trust Accounts and Joining Clients to the Domain

A machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba server. In Windows terminology, this is known as a "Computer Account."

The password of a machine trust account acts as the shared secret for secure communication with the Domain Controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain and gaining access to domain user/group accounts. Windows NT and 2000 clients use machine trust accounts, but Windows 9x clients do not. Hence, a Windows 9x client is never a true member of a domain because it does not possess a machine trust account, and thus has no shared secret with the domain controller.

A Windows PDC stores each machine trust account in the Windows Registry. A Samba PDC, however, stores each machine trust account in two parts, as follows:

There are two ways to create machine trust accounts:

6.4.1. Manual Creation of Machine Trust Accounts

The first step in manually creating a machine trust account is to manually create the corresponding Unix account in /etc/passwd. This can be done using vipw or other 'add user' command that is normally used to create new Unix accounts. The following is an example for a Linux based Samba server:

root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$

root# passwd -l machine_name$

On *BSD systems, this can be done using the 'chpass' utility:

root# chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin"

The /etc/passwd entry will list the machine name with a "$" appended, won't have a password, will have a null shell and no home directory. For example a machine named 'doppy' would have an /etc/passwd entry like this:

doppy$:x:505:501:machine_nickname:/dev/null:/bin/false

Above, machine_nickname can be any descriptive name for the client, i.e., BasementComputer. machine_name absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize this as a machine trust account.

Now that the corresponding Unix account has been created, the next step is to create the Samba account for the client containing the well-known initial machine trust account password. This can be done using the smbpasswd(8) command as shown here:

root# smbpasswd -a -m machine_name

where machine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account.

WarningJoin the client to the domain immediately
 

Manually creating a machine trust account using this method is the equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created to the time which the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned!

6.4.2. "On-the-Fly" Creation of Machine Trust Accounts

The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain.

Since each Samba machine trust account requires a corresponding Unix account, a method for automatically creating the Unix account is usually supplied; this requires configuration of the add user script option in smb.conf. This method is not required, however; corresponding Unix accounts may also be created manually.

Below is an example for a RedHat 6.2 Linux system.

[global]
   # <...remainder of parameters...>
   add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u 

6.5. Common Problems and Errors

6.6. System Policies and Profiles

Much of the information necessary to implement System Policies and Roving User Profiles in a Samba domain is the same as that for implementing these same items in a Windows NT 4.0 domain. You should read the white paper Implementing Profiles and Policies in Windows NT 4.0 available from Microsoft.

Here are some additional details:

6.7. What other help can I get?

There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come with the samba distribution contain very good explanations of general SMB topics such as browsing.

6.8. Domain Control for Windows 9x/ME

Note

The following section contains much of the original DOMAIN.txt file previously included with Samba. Much of the material is based on what went into the book Special Edition, Using Samba, by Richard Sharpe.

A domain and a workgroup are exactly the same thing in terms of network browsing. The difference is that a distributable authentication database is associated with a domain, for secure login access to a network. Also, different access rights can be granted to users if they successfully authenticate against a domain logon server (NT server and other systems based on NT server support this, as does at least Samba TNG now).

The SMB client logging on to a domain has an expectation that every other server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and is explained in BROWSING.txt. It should be noted, that browsing is totally orthogonal to logon support.

Issues related to the single-logon network model are discussed in this section. Samba supports domain logons, network logon scripts, and user profiles for MS Windows for workgroups and MS Windows 9X/ME clients which will be the focus of this section.

When an SMB client in a domain wishes to logon it broadcast requests for a logon server. The first one to reply gets the job, and validates its password using whatever mechanism the Samba administrator has installed. It is possible (but very stupid) to create a domain where the user database is not shared between servers, i.e. they are effectively workgroup servers advertising themselves as participating in a domain. This demonstrates how authentication is quite different from but closely involved with domains.

Using these features you can make your clients verify their logon via the Samba server; make clients run a batch file when they logon to the network and download their preferences, desktop and start menu.

Before launching into the configuration instructions, it is worthwhile lookingat how a Windows 9x/ME client performs a logon:

  1. The client broadcasts (to the IP broadcast address of the subnet it is in) a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER.

  2. The client then connects to that server, logs on (does an SMBsessetupX) and then connects to the IPC$ share (using an SMBtconX).

  3. The client then does a NetWkstaUserLogon request, which retrieves the name of the user's logon script.

  4. The client then connects to the NetLogon share and searches for this and if it is found and can be read, is retrieved and executed by the client. After this, the client disconnects from the NetLogon share.

  5. The client then sends a NetUserGetInfo request to the server, to retrieve the user's home share, which is used to search for profiles. Since the response to the NetUserGetInfo request does not contain much more the user's home share, profiles for Win9X clients MUST reside in the user home directory.

  6. The client then connects to the user's home share and searches for the user's profile. As it turns out, you can specify the user's home share as a sharename and path. For example, \\server\fred\.profile. If the profiles are found, they are implemented.

  7. The client then disconnects from the user's home share, and reconnects to the NetLogon share and looks for CONFIG.POL, the policies file. If this is found, it is read and implemented.

6.8.1. Configuration Instructions: Network Logons

The main difference between a PDC and a Windows 9x logon server configuration is that

Therefore, a Samba PDC will also act as a Windows 9x logon server.

Warningsecurity mode and master browsers
 

There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether or not it is ok to configure Samba as a Domain Controller in security modes other than USER. The only security mode which will not work due to technical reasons is SHARE mode security. DOMAIN and SERVER mode security is really just a variation on SMB user level security.

Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons are two distinctly different functions), it is not a good idea to so. You should remember that the DC must register the DOMAIN#1b NetBIOS name. This is the name used by Windows clients to locate the DC. Windows clients do not distinguish between the DC and the DMB. For this reason, it is very wise to configure the Samba DC as the DMB.

Now back to the issue of configuring a Samba DC to use a mode other than "security = user". If a Samba host is configured to use another SMB server or DC in order to validate user connection requests, then it is a fact that some other machine on the network (the "password server") knows more about user than the Samba host. 99% of the time, this other host is a domain controller. Now in order to operate in domain mode security, the "workgroup" parameter must be set to the name of the Windows NT domain (which already has a domain controller, right?)

Therefore configuring a Samba box as a DC for a domain that already by definition has a PDC is asking for trouble. Therefore, you should always configure the Samba DC to be the DMB for its domain.

6.8.2. Configuration Instructions: Setting up Roaming User Profiles

Warning

NOTE! Roaming profiles support is different for Win9X and WinNT.

Before discussing how to configure roaming profiles, it is useful to see how Win9X and WinNT clients implement these features.

Win9X clients send a NetUserGetInfo request to the server to get the user's profiles location. However, the response does not have room for a separate profiles location field, only the user's home share. This means that Win9X profiles are restricted to being in the user's home directory.

WinNT clients send a NetSAMLogon RPC request, which contains many fields, including a separate field for the location of the user's profiles. This means that support for profiles is different for Win9X and WinNT.

6.8.2.4. Windows 9X Profile Setup

When a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". These directories and their contents will be merged with the local versions stored in c:\windows\profiles\username on subsequent logins, taking the most recent from each. You will need to use the [global] options "preserve case = yes", "short preserve case = yes" and "case sensitive = no" in order to maintain capital letters in shortcuts in any of the profile folders.

The user.DAT file contains all the user's preferences. If you wish to enforce a set of preferences, rename their user.DAT file to user.MAN, and deny them write access to this file.

  1. On the Windows 95 machine, go to Control Panel | Passwords and select the User Profiles tab. Select the required level of roaming preferences. Press OK, but do _not_ allow the computer to reboot.

  2. On the Windows 95 machine, go to Control Panel | Network | Client for Microsoft Networks | Preferences. Select 'Log on to NT Domain'. Then, ensure that the Primary Logon is 'Client for Microsoft Networks'. Press OK, and this time allow the computer to reboot.

Under Windows 95, Profiles are downloaded from the Primary Logon. If you have the Primary Logon as 'Client for Novell Networks', then the profiles and logon script will be downloaded from your Novell Server. If you have the Primary Logon as 'Windows Logon', then the profiles will be loaded from the local machine - a bit against the concept of roaming profiles, if you ask me.

You will now find that the Microsoft Networks Login box contains [user, password, domain] instead of just [user, password]. Type in the samba server's domain name (or any other domain known to exist, but bear in mind that the user will be authenticated against this domain and profiles downloaded from it, if that domain logon server supports it), user name and user's password.

Once the user has been successfully validated, the Windows 95 machine will inform you that 'The user has not logged on before' and asks you if you wish to save the user's preferences? Select 'yes'.

Once the Windows 95 client comes up with the desktop, you should be able to examine the contents of the directory specified in the "logon path" on the samba server and verify that the "Desktop", "Start Menu", "Programs" and "Nethood" folders have been created.

These folders will be cached locally on the client, and updated when the user logs off (if you haven't made them read-only by then :-). You will find that if the user creates further folders or short-cuts, that the client will merge the profile contents downloaded with the contents of the profile directory already on the local client, taking the newest folders and short-cuts from each set.

If you have made the folders / files read-only on the samba server, then you will get errors from the w95 machine on logon and logout, as it attempts to merge the local and the remote profile. Basically, if you have any errors reported by the w95 machine, check the Unix file permissions and ownership rights on the profile directory contents, on the samba server.

If you have problems creating user profiles, you can reset the user's local desktop cache, as shown below. When this user then next logs in, they will be told that they are logging in "for the first time".

  1. instead of logging in under the [user, password, domain] dialog, press escape.

  2. run the regedit.exe program, and look in:

    HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList

    you will find an entry, for each user, of ProfilePath. Note the contents of this key (likely to be c:\windows\profiles\username), then delete the key ProfilePath for the required user.

    [Exit the registry editor].

  3. WARNING - before deleting the contents of the directory listed in the ProfilePath (this is likely to be c:\windows\profiles\username), ask them if they have any important files stored on their desktop or in their start menu. delete the contents of the directory ProfilePath (making a backup if any of the files are needed).

    This will have the effect of removing the local (read-only hidden system file) user.DAT in their profile directory, as well as the local "desktop", "nethood", "start menu" and "programs" folders.

  4. search for the user's .PWL password-caching file in the c:\windows directory, and delete it.

  5. log off the windows 95 client.

  6. check the contents of the profile path (see "logon path" described above), and delete the user.DAT or user.MAN file for the user, making a backup if required.

If all else fails, increase samba's debug log levels to between 3 and 10, and / or run a packet trace program such as tcpdump or netmon.exe, and look for any error reports.

If you have access to an NT server, then first set up roaming profiles and / or netlogons on the NT server. Make a packet trace, or examine the example packet traces provided with NT server, and see what the differences are with the equivalent samba trace.

6.8.2.5. Windows NT Workstation 4.0

When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified through the "logon path" parameter.

Note

[lkcl 10aug97 - i tried setting the path to \\samba-server\homes\profile, and discovered that this fails because a background process maintains the connection to the [homes] share which does _not_ close down in between user logins. you have to have \\samba-server\%L\profile, where user is the username created from the [homes] share].

There is a parameter that is now available for use with NT Profiles: "logon drive". This should be set to "h:" or any other drive, and should be used in conjunction with the new "logon home" parameter.

The entry for the NT 4.0 profile is a _directory_ not a file. The NT help on profiles mentions that a directory is also created with a .PDS extension. The user, while logging in, must have write permission to create the full profile path (and the folder with the .PDS extension) [lkcl 10aug97 - i found that the creation of the .PDS directory failed, and had to create these manually for each user, with a shell script. also, i presume, but have not tested, that the full profile path must be browseable just as it is for w95, due to the manner in which they attempt to create the full profile path: test existence of each path component; create path component].

In the profile directory, NT creates more folders than 95. It creates "Application Data" and others, as well as "Desktop", "Nethood", "Start Menu" and "Programs". The profile itself is stored in a file NTuser.DAT. Nothing appears to be stored in the .PDS directory, and its purpose is currently unknown.

You can use the System Control Panel to copy a local profile onto a samba server (see NT Help on profiles: it is also capable of firing up the correct location in the System Control Panel for you). The NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN turns a profile into a mandatory one.

Note

[lkcl 10aug97 - i notice that NT Workstation tells me that it is downloading a profile from a slow link. whether this is actually the case, or whether there is some configuration issue, as yet unknown, that makes NT Workstation _think_ that the link is a slow one is a matter to be resolved].

[lkcl 20aug97 - after samba digest correspondence, one user found, and another confirmed, that profiles cannot be loaded from a samba server unless "security = user" and "encrypt passwords = yes" (see the file ENCRYPTION.txt) or "security = server" and "password server = ip.address. of.yourNTserver" are used. Either of these options will allow the NT workstation to access the samba server using LAN manager encrypted passwords, without the user intervention normally required by NT workstation for clear-text passwords].

[lkcl 25aug97 - more comments received about NT profiles: the case of the profile _matters_. the file _must_ be called NTuser.DAT or, for a mandatory profile, NTuser.MAN].

6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

WarningPossibly Outdated Material
 

This appendix was originally authored by John H Terpstra of the Samba Team and is included here for posterity.

NOTE : The term "Domain Controller" and those related to it refer to one specific method of authentication that can underly an SMB domain. Domain Controllers prior to Windows NT Server 3.1 were sold by various companies and based on private extensions to the LAN Manager 2.1 protocol. Windows NT introduced Microsoft-specific ways of distributing the user authentication database. See DOMAIN.txt for examples of how Samba can participate in or create SMB domains based on shared authentication database schemes other than the Windows NT SAM.

Windows NT Server can be installed as either a plain file and print server (WORKGROUP workstation or server) or as a server that participates in Domain Control (DOMAIN member, Primary Domain controller or Backup Domain controller). The same is true for OS/2 Warp Server, Digital Pathworks and other similar products, all of which can participate in Domain Control along with Windows NT.

To many people these terms can be confusing, so let's try to clear the air.

Every Windows NT system (workstation or server) has a registry database. The registry contains entries that describe the initialization information for all services (the equivalent of Unix Daemons) that run within the Windows NT environment. The registry also contains entries that tell application software where to find dynamically loadable libraries that they depend upon. In fact, the registry contains entries that describes everything that anything may need to know to interact with the rest of the system.

The registry files can be located on any Windows NT machine by opening a command prompt and typing:

C:\WINNT\> dir %SystemRoot%\System32\config

The environment variable %SystemRoot% value can be obtained by typing:

C:\WINNT>echo %SystemRoot%

The active parts of the registry that you may want to be familiar with are the files called: default, system, software, sam and security.

In a domain environment, Microsoft Windows NT domain controllers participate in replication of the SAM and SECURITY files so that all controllers within the domain have an exactly identical copy of each.

The Microsoft Windows NT system is structured within a security model that says that all applications and services must authenticate themselves before they can obtain permission from the security manager to do what they set out to do.

The Windows NT User database also resides within the registry. This part of the registry contains the user's security identifier, home directory, group memberships, desktop profile, and so on.

Every Windows NT system (workstation as well as server) will have its own registry. Windows NT Servers that participate in Domain Security control have a database that they share in common - thus they do NOT own an independent full registry database of their own, as do Workstations and plain Servers.

The User database is called the SAM (Security Access Manager) database and is used for all user authentication as well as for authentication of inter- process authentication (i.e. to ensure that the service action a user has requested is permitted within the limits of that user's privileges).

The Samba team have produced a utility that can dump the Windows NT SAM into smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and /pub/samba/pwdump on your nearest Samba mirror for the utility. This facility is useful but cannot be easily used to implement SAM replication to Samba systems.

Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers can participate in a Domain security system that is controlled by Windows NT servers that have been correctly configured. Almost every domain will have ONE Primary Domain Controller (PDC). It is desirable that each domain will have at least one Backup Domain Controller (BDC).

The PDC and BDCs then participate in replication of the SAM database so that each Domain Controlling participant will have an up to date SAM component within its registry.