summaryrefslogtreecommitdiff
path: root/docs/htmldocs/Samba-PDC-HOWTO.html
blob: 883de3a0abb04df3d87034e161c0666e48be442b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
<HTML
><HEAD
><TITLE
>How to Configure Samba 2.2 as a Primary Domain Controller</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
><BODY
CLASS="ARTICLE"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="ARTICLE"
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN1"
>How to Configure Samba 2.2 as a Primary Domain Controller</A
></H1
><HR></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN3"
>Prerequisite Reading</A
></H1
><P
>Before you continue readingin this chapter, please make sure 
that you are comfortable with configuring basic files services
in smb.conf and how to enable and administrate password 
encryption in Samba.  Theses two topics are covered in the
<A
HREF="smb.conf.5.html"
TARGET="_top"
><TT
CLASS="FILENAME"
>smb.conf(5)</TT
></A
> 
manpage and the <A
HREF="EMCRYPTION.html"
TARGET="_top"
>Encryption chapter</A
> 
of this HOWTO Collection.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN9"
>Background</A
></H1
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
><I
CLASS="EMPHASIS"
>Author's Note :</I
> This document is a combination 
of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. 
Both documents are superceeded by this one.</P
></BLOCKQUOTE
></DIV
><P
>Version of Samba prior to release 2.2 had marginal capabilities to
act as a Windows NT 4.0 Primary Domain Controller (PDC).  Beginning with 
Samba 2.2.0, we are proud to announce official support for Windows NT 4.0 
style domain logons from Windows NT 4.0 (through SP6) and Windows 2000 (through 
SP1) clients.  This article outlines the steps necessary for configuring Samba 
as a PDC.  It is necessary to have a working Samba server prior to implementing the 
PDC functionality.  If you have not followed the steps outlined in 
<A
HREF="UNIX_INSTALL.html"
TARGET="_top"
> UNIX_INSTALL.html</A
>, please make sure 
that your server is configured correctly before proceeding.  Another good 
resource in the <A
HREF="smb.conf.5.html"
TARGET="_top"
>smb.conf(5) man 
page</A
>. The following  functionality should work in 2.2:</P
><P
></P
><UL
><LI
><P
>	domain logons for Windows NT 4.0/2000 clients.
	</P
></LI
><LI
><P
>	placing a Windows 9x client in user level security
	</P
></LI
><LI
><P
>	retrieving a list of users and groups from a Samba PDC to
	Windows 9x/NT/2000 clients
	</P
></LI
><LI
><P
>	roving (roaming) user profiles
	</P
></LI
><LI
><P
>	Windows NT 4.0 style system policies
	</P
></LI
></UL
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Windows 2000 Service Pack 2 Clients</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>	Samba 2.2.1 is required for PDC functionality when using Windows 2000 
	SP2 clients. 
	</P
></TD
></TR
></TABLE
></DIV
><P
>The following pieces of functionality are not included in the 2.2 release:</P
><P
></P
><UL
><LI
><P
>	Windows NT 4 domain trusts
	</P
></LI
><LI
><P
>	SAM replication with Windows NT 4.0 Domain Controllers
	(i.e. a Samba PDC and a Windows NT BDC or vice versa) 
	</P
></LI
><LI
><P
>	Adding users via the User Manager for Domains
	</P
></LI
><LI
><P
>	Acting as a Windows 2000 Domain Controller (i.e. Kerberos and 
	Active Directory)
	</P
></LI
></UL
><P
>Please note that Windows 9x clients are not true members of a domain
for reasons outlined in this article.  Therefore the protocol for
support Windows 9x style domain logons is completely different
from NT4 domain logons and has been officially supported for some 
time.</P
><P
>Implementing a Samba PDC can basically be divided into 2 broad
steps.</P
><P
></P
><OL
TYPE="1"
><LI
><P
>	Configuring the Samba PDC
	</P
></LI
><LI
><P
>	Creating machine trust accounts	and joining clients 
	to the domain
	</P
></LI
></OL
><P
>There are other minor details such as user profiles, system
policies, etc...  However, these are not necessarily specific
to a Samba PDC as much as they are related to Windows NT networking
concepts.  They will be mentioned only briefly here.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN49"
>Configuring the Samba Domain Controller</A
></H1
><P
>The first step in creating a working Samba PDC is to 
understand the parameters necessary in smb.conf.  I will not
attempt to re-explain the parameters here as they are more that
adequately covered in <A
HREF="smb.conf.5.html"
TARGET="_top"
> the smb.conf
man page</A
>.  For convenience, the parameters have been
linked with the actual smb.conf description.</P
><P
>Here is an example smb.conf for acting as a PDC:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>[global]
    ; Basic server settings
    <A
HREF="smb.conf.5.html#NETBIOSNAME"
TARGET="_top"
>netbios name</A
> = <TT
CLASS="REPLACEABLE"
><I
>POGO</I
></TT
>
    <A
HREF="smb.conf.5.html#WORKGROUP"
TARGET="_top"
>workgroup</A
> = <TT
CLASS="REPLACEABLE"
><I
>NARNIA</I
></TT
>

    ; we should act as the domain and local master browser
    <A
HREF="smb.conf.5.html#OSLEVEL"
TARGET="_top"
>os level</A
> = 64
    <A
HREF="smb.conf.5.html#PERFERREDMASTER"
TARGET="_top"
>preferred master</A
> = yes
    <A
HREF="smb.conf.5.html#DOMAINMASTER"
TARGET="_top"
>domain master</A
> = yes
    <A
HREF="smb.conf.5.html#LOCALMASTER"
TARGET="_top"
>local master</A
> = yes
    
    ; security settings (must user security = user)
    <A
HREF="smb.conf.5.html#SECURITYEQUALSUSER"
TARGET="_top"
>security</A
> = user
    
    ; encrypted passwords are a requirement for a PDC
    <A
HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
TARGET="_top"
>encrypt passwords</A
> = yes
    
    ; support domain logons
    <A
HREF="smb.conf.5.html#DOMAINLOGONS"
TARGET="_top"
>domain logons</A
> = yes
    
    ; where to store user profiles?
    <A
HREF="smb.conf.5.html#LOGONPATH"
TARGET="_top"
>logon path</A
> = \\%N\profiles\%u
    
    ; where is a user's home directory and where should it
    ; be mounted at?
    <A
HREF="smb.conf.5.html#LOGONDRIVE"
TARGET="_top"
>logon drive</A
> = H:
    <A
HREF="smb.conf.5.html#LOGONHOME"
TARGET="_top"
>logon home</A
> = \\homeserver\%u
    
    ; specify a generic logon script for all users
    ; this is a relative **DOS** path to the [netlogon] share
    <A
HREF="smb.conf.5.html#LOGONSCRIPT"
TARGET="_top"
>logon script</A
> = logon.cmd

; necessary share for domain controller
[netlogon]
    <A
HREF="smb.conf.5.html#PATH"
TARGET="_top"
>path</A
> = /usr/local/samba/lib/netlogon
    <A
HREF="smb.conf.5.html#WRITEABLE"
TARGET="_top"
>writeable</A
> = no
    <A
HREF="smb.conf.5.html#WRITELIST"
TARGET="_top"
>write list</A
> = <TT
CLASS="REPLACEABLE"
><I
>ntadmin</I
></TT
>
    
; share for storing user profiles
[profiles]
    <A
HREF="smb.conf.5.html#PATH"
TARGET="_top"
>path</A
> = /export/smb/ntprofile
    <A
HREF="smb.conf.5.html#WRITEABLE"
TARGET="_top"
>writeable</A
> = yes
    <A
HREF="smb.conf.5.html#CREATEMASK"
TARGET="_top"
>create mask</A
> = 0600
    <A
HREF="smb.conf.5.html#DIRECTORYMASK"
TARGET="_top"
>directory mask</A
> = 0700</PRE
></P
><P
>There are a couple of points to emphasize in the above configuration.</P
><P
></P
><UL
><LI
><P
>	Encrypted passwords must be enabled.  For more details on how 
	to do this, refer to <A
HREF="ENCRYPTION.html"
TARGET="_top"
>ENCRYPTION.html</A
>.
	</P
></LI
><LI
><P
>	The server must support domain logons and a
	<TT
CLASS="FILENAME"
>[netlogon]</TT
> share
	</P
></LI
><LI
><P
>	The server must be the domain master browser in order for Windows 
	client to locate the server as a DC.  Please refer to the various 
	Network Browsing documentation included with this distribution for 
	details.
	</P
></LI
></UL
><P
>As Samba 2.2 does not offer a complete implementation of group mapping between 
Windows NT groups and UNIX groups (this is really quite complicated to explain 
in a short space), you should refer to the <A
HREF="smb.conf.5.html#DOMAINADMINUSERS"
TARGET="_top"
>domain 
admin users</A
> and <A
HREF="smb.conf.5.html#DOMAINADMINGROUP"
TARGET="_top"
>domain 
admin group</A
> smb.conf parameters for information of creating a Domain Admins 
style accounts.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN92"
>Creating Machine Trust Accounts and Joining Clients 
to the Domain</A
></H1
><P
>A machine trust account is a samba user account owned by a computer.  
The account password acts as the shared secret for secure 
communication with the Domain Controller.  This is a security feature
to prevent an unauthorized machine with the same netbios name from 
joining the domain and gaining access to domain user/group accounts.  
Hence a Windows 9x host is never a true member of a domain because it does 
not posses a machine trust account, and thus has no shared secret with the DC.</P
><P
>On a Windows NT PDC, these machine trust account passwords are stored
in the registry.  A Samba PDC stores these accounts in the same location
as user LanMan and NT password hashes (currently <TT
CLASS="FILENAME"
>smbpasswd</TT
>).
However, machine trust accounts only possess and use the NT password hash.</P
><P
>Because Samba requires machine accounts to possess a UNIX uid from
which an Windows NT SID can be generated, all of these accounts
must have an entry in <TT
CLASS="FILENAME"
>/etc/passwd</TT
> and smbpasswd.  
Future releases will alleviate the need to create 
<TT
CLASS="FILENAME"
>/etc/passwd</TT
> entries.  </P
><P
>There are two means of creating machine trust accounts.</P
><P
></P
><UL
><LI
><P
>	Manual creation before joining the client to the domain.  In this case, 
	the password is set to a known value -- the lower case of the 
	machine's netbios name.
	</P
></LI
><LI
><P
>	Creation of the account at the time of joining the domain.  In 
	this case, the session key of the administrative account used to join 
	the client to the domain acts as an encryption key for setting the 
	password to a random value (This is the recommended method).
	</P
></LI
></UL
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN106"
>Manually creating machine trust accounts</A
></H2
><P
>The first step in creating a machine trust account by hand is to 
create an entry for the machine in /etc/passwd.  This can be done 
using <B
CLASS="COMMAND"
>vipw</B
> or any 'add userr' command which is normally 
used to create new UNIX accounts.  The following is an example for a Linux 
based Samba server:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
>/usr/sbin/useradd -g 100 -d /dev/null -c <TT
CLASS="REPLACEABLE"
><I
>machine_nickname</I
></TT
> -m -s /bin/false <TT
CLASS="REPLACEABLE"
><I
>machine_name</I
></TT
>$</P
><P
>The <TT
CLASS="FILENAME"
>/etc/passwd</TT
> entry will list the machine name 
with a $ appended, won't have a passwd, will have a null shell and no 
home directory. For example a machine called 'doppy' would have an 
<TT
CLASS="FILENAME"
>/etc/passwd</TT
> entry like this :</P
><P
><PRE
CLASS="PROGRAMLISTING"
>doppy$:x:505:501:<TT
CLASS="REPLACEABLE"
><I
>machine_nickname</I
></TT
>:/dev/null:/bin/false</PRE
></P
><P
>Above, <TT
CLASS="REPLACEABLE"
><I
>machine_nickname</I
></TT
> can be any descriptive name for the
pc i.e. BasementComputer. The <TT
CLASS="REPLACEABLE"
><I
>machine_name</I
></TT
> absolutely must be 
the netbios name of the pc to be added to the domain.  The "$" must append the netbios
name of the pc or samba will not recognize this as a machine account</P
><P
>Now that the UNIX account has been created, the next step is to create 
the smbpasswd entry for the machine containing the well known initial 
trust account password.  This can be done using the <A
HREF="smbpasswd.6.html"
TARGET="_top"
><B
CLASS="COMMAND"
>smbpasswd(8)</B
></A
> command 
as shown here:</P
><P
><TT
CLASS="PROMPT"
>root# </TT
> smbpasswd -a -m <TT
CLASS="REPLACEABLE"
><I
>machine_name</I
></TT
></P
><P
>where <TT
CLASS="REPLACEABLE"
><I
>machine_name</I
></TT
> is the machine's netbios
name. </P
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Join the client to the domain immediately</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>	Manually creating a machine trust account using this method is the 
	equivalent of creating a machine account on a Windows NT PDC using 
	the "Server Manager".  From the time at which the account is created
	to the time which th client joins the domain and changes the password,
	your domain is vulnerable to an intruder joining your domain using a
	a machine with the same netbios name.  A PDC inherently trusts
	members of the domain and will serve out a large degree of user 
	information to such clients.  You have been warned!
	</P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN134"
>Creating machine trust accounts "on the fly"</A
></H2
><P
>The second, and most recommended way of creating machine trust accounts 
is to create them as needed at the time the client is joined to 
the domain.  You will need to include a value for the <A
HREF="smb.conf.5.html#ADDUSERSCRIPT"
TARGET="_top"
>add user script</A
>
parameter.  Below is an example from a RedHat 6.2 Linux system.</P
><P
><PRE
CLASS="PROGRAMLISTING"
>add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </PRE
></P
><P
>In Samba 2.2.1, <I
CLASS="EMPHASIS"
>only the root account</I
> can be used to create
machine accounts like this.  Therefore, it is required to create 
an entry in smbpasswd for <I
CLASS="EMPHASIS"
>root</I
>.  The password 
<I
CLASS="EMPHASIS"
>SHOULD</I
> be set to s different password that the 
associated <TT
CLASS="FILENAME"
>/etc/passwd</TT
> entry for security reasons.</P
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN145"
>Common Problems and Errors</A
></H1
><P
></P
><P
></P
><UL
><LI
><P
>	<I
CLASS="EMPHASIS"
>I cannot include a '$' in a machine name.</I
>
	</P
><P
>	A 'machine name' in (typically) <TT
CLASS="FILENAME"
>/etc/passwd</TT
> 	
	of the machine name with a '$' appended. FreeBSD (and other BSD 
	systems ?) won't create a user with a '$' in their name.
	</P
><P
>	The problem is only in the program used to make the entry, once 
	made, it works perfectly. So create a user without the '$' and 
	use <B
CLASS="COMMAND"
>vipw</B
> to edit the entry, adding the '$'. Or create 
	the whole entry with vipw if you like, make sure you use a 
	unique uid !
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>I get told "You already have a connection to the Domain...." 
	or "Cannot join domain, the credentials supplied conflict with an 
	existing set.." when creating a machine account.</I
>
	</P
><P
>	This happens if you try to create a machine account from the 
	machine itself and already have a connection (e.g. mapped drive) 
	to a share (or IPC$) on the Samba PDC.  The following command
	will remove all network drive connections:
	</P
><P
>	<TT
CLASS="PROMPT"
>C:\WINNT\&#62;</TT
> <B
CLASS="COMMAND"
>net use * /d</B
>
	</P
><P
>	Further, if the machine is a already a 'member of a workgroup' that 
	is the same name as the domain you are joining (bad idea) you will 
	get this message.  Change the workgroup name to something else, it 
	does not matter what, reboot, and try again.
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>The system can not log you on (C000019B)....</I
>
	</P
><P
>I joined the domain successfully but after upgrading 
	to a newer version of the Samba code I get the message, "The system 
	can not log you on (C000019B), Please try a gain or consult your 
	system administrator" when attempting to logon.
	</P
><P
>	This occurs when the domain SID stored in 
	<TT
CLASS="FILENAME"
>private/WORKGROUP.SID</TT
> is 
	changed.  For example, you remove the file and <B
CLASS="COMMAND"
>smbd</B
> automatically 
	creates a new one.  Or you are swapping back and forth between 
	versions 2.0.7, TNG and the HEAD branch code (not recommended).  The 
	only way to correct the problem is to restore the original domain 
	SID or remove the domain client from the domain and rejoin.
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>The machine account for this computer either does not 
	exist or is not accessible.</I
>
	</P
><P
>	When I try to join the domain I get the message "The machine account 
	for this computer either does not exist or is not accessible". Whats 
	wrong?
	</P
><P
>	This problem is caused by the PDC not having a suitable machine account. 
	If you are using the <TT
CLASS="PARAMETER"
><I
>add user script</I
></TT
> method to create 
	accounts then this would indicate that it has not worked. Ensure the domain 
	admin user system is working.
	</P
><P
>	Alternatively if you are creating account entries manually then they 
	have not been created correctly. Make sure that you have the entry 
	correct for the machine account in smbpasswd file on the Samba PDC. 
	If you added the account using an editor rather than using the smbpasswd 
	utility, make sure that the account name is the machine netbios name 
	with a '$' appended to it ( ie. computer_name$ ). There must be an entry 
	in both /etc/passwd and the smbpasswd file. Some people have reported 
	that inconsistent subnet masks between the Samba server and the NT 
	client have caused this problem.   Make sure that these are consistent 
	for both client and server.
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
	I get a message about my account being disabled.</I
>
	</P
><P
>	This problem is caused by a PAM related bug in Samba 2.2.0.  This bug is 
	fixed in 2.2.1.  Other symptoms could be unaccessible shares on 
	NT/W2K member servers in the domain or the following error in your smbd.log:
	passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%
	</P
><P
>	At first be ensure to enable the useraccounts with <B
CLASS="COMMAND"
>smbpasswd -e 
	%user%</B
>, this is normaly done, when you create an account.
	</P
><P
>	In order to work around this problem in 2.2.0, configure the 
	<TT
CLASS="PARAMETER"
><I
>account</I
></TT
> control flag in 
	<TT
CLASS="FILENAME"
>/etc/pam.d/samba</TT
> file as follows:
	</P
><P
><PRE
CLASS="PROGRAMLISTING"
>	account required        pam_permit.so
	</PRE
></P
><P
>	If you want to remain backward compatibility to samba 2.0.x use
	<TT
CLASS="FILENAME"
>pam_permit.so</TT
>, it's also possible to use 
	<TT
CLASS="FILENAME"
>pam_pwdb.so</TT
>. There are some bugs if you try to 
	use <TT
CLASS="FILENAME"
>pam_unix.so</TT
>, if you need this, be ensure to use
	the most recent version of this file.
	</P
></LI
></UL
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN193"
>System Policies and Profiles</A
></H1
><P
>Much of the information necessary to implement System Policies and
Roving User Profiles in a Samba domain is the same as that for 
implementing these same items in a Windows NT 4.0 domain. 
You should read the white paper <A
HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
TARGET="_top"
>Implementing
Profiles and Policies in Windows NT 4.0</A
> available from Microsoft.</P
><P
>Here are some additional details:</P
><P
></P
><UL
><LI
><P
>	<I
CLASS="EMPHASIS"
>What about Windows NT Policy Editor ?</I
>
	</P
><P
>	To create or edit <TT
CLASS="FILENAME"
>ntconfig.pol</TT
> you must use 
	the NT Server Policy Editor, <B
CLASS="COMMAND"
>poledit.exe</B
>	which 
	is included with NT Server but <I
CLASS="EMPHASIS"
>not NT Workstation</I
>. 
	There is a Policy Editor on a NTws 
	but it is not suitable for creating <I
CLASS="EMPHASIS"
>Domain Policies</I
>. 
	Further, although the Windows 95 
	Policy Editor can be installed on an NT Workstation/Server, it will not
	work with NT policies because the registry key that are set by the policy templates. 
	However, the files from the NT Server will run happily enough on an NTws. 	
	You need <TT
CLASS="FILENAME"
>poledit.exe, common.adm</TT
> and <TT
CLASS="FILENAME"
>winnt.adm</TT
>. It is convenient
	to put the two *.adm files in <TT
CLASS="FILENAME"
>c:\winnt\inf</TT
> which is where
	the binary will look for them unless told otherwise. Note also that that 
	directory is 'hidden'.
	</P
><P
>	The Windows NT policy editor is also included with the Service Pack 3 (and 
	later) for Windows NT 4.0. Extract the files using <B
CLASS="COMMAND"
>servicepackname /x</B
>, 
	ie thats <B
CLASS="COMMAND"
>Nt4sp6ai.exe /x</B
> for service pack 6a.  The policy editor, 
	<B
CLASS="COMMAND"
>poledit.exe</B
> and the associated template files (*.adm) should
	be extracted as well.  It is also possible to downloaded the policy template 
	files for Office97 and get a copy of the policy editor.  Another possible 
	location is with the Zero Administration Kit available for download from Microsoft.
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>Can Win95 do Policies ?</I
>
	</P
><P
>	Install the group policy handler for Win9x to pick up group 
	policies.   Look on the Win98 CD in <TT
CLASS="FILENAME"
>\tools\reskit\netadmin\poledit</TT
>. 
	Install group policies on a Win9x client by double-clicking 
	<TT
CLASS="FILENAME"
>grouppol.inf</TT
>. Log off and on again a couple of 
	times and see if Win98 picks up group policies.  Unfortunately this needs 
	to be done on every Win9x machine that uses group policies....
	</P
><P
>	If group policies don't work one reports suggests getting the updated 
	(read: working) grouppol.dll for Windows 9x. The group list is grabbed 
	from /etc/group.
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>How do I get 'User Manager' and 'Server Manager'</I
>
	</P
><P
>	Since I don't need to buy an NT Server CD now, how do I get 
	the 'User Manager for Domains', the 'Server Manager' ?
	</P
><P
>	Microsoft distributes a version of these tools called nexus for 
	installation on Windows 95 systems.  The tools set includes
	</P
><P
></P
><UL
><LI
><P
>Server Manager</P
></LI
><LI
><P
>User Manager for Domains</P
></LI
><LI
><P
>Event Viewer</P
></LI
></UL
><P
>	Click here to download the archived file <A
HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
TARGET="_top"
>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
>
	</P
><P
>	The Windows NT 4.0 version of the 'User Manager for 
	Domains' and 'Server Manager' are available from Microsoft via ftp 
	from <A
HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
TARGET="_top"
>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
>
	</P
></LI
></UL
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN237"
>What other help can I get ?</A
></H1
><P
>There are many sources of information available in the form 
of mailing lists, RFC's and documentation.  The docs that come 
with the samba distribution contain very good explanations of 
general SMB topics such as browsing.</P
><P
></P
><UL
><LI
><P
>	<I
CLASS="EMPHASIS"
>What are some diagnostics tools I can use to debug the domain logon 
	process and where can I	find them?</I
>
	</P
><P
>	One of the best diagnostic tools for debugging problems is Samba itself.  
	You can use the -d option for both smbd and nmbd to specifiy what 
	'debug level' at which to run.  See the man pages on smbd, nmbd  and 
	smb.conf for more information on debugging options.  The debug 
	level can range from 1 (the default) to 10 (100 for debugging passwords).
	</P
><P
>	Another helpful method of debugging is to compile samba using the 
	<B
CLASS="COMMAND"
>gcc -g </B
> flag.   This will include debug 
	information in the binaries and allow you to attach gdb to the 
	running smbd / nmbd process.  In order to attach gdb to an smbd 
	process for an NT workstation, first get the workstation to make the 
	connection. Pressing ctrl-alt-delete and going down to the domain box 
	is sufficient (at least, on the first time you join the domain) to 
	generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation 
	maintains an open connection, and therefore there will be an smbd 
	process running (assuming that you haven't set a really short smbd 
	idle timeout)  So, in between pressing ctrl alt delete, and actually 
	typing in your password, you can gdb attach and continue.
	</P
><P
>	Some useful samba commands worth investigating:
	</P
><P
></P
><UL
><LI
><P
>testparam | more</P
></LI
><LI
><P
>smbclient -L //{netbios name of server}</P
></LI
></UL
><P
>	An SMB enabled version of tcpdump is available from 
	<A
HREF="http://www.tcpdump.org/"
TARGET="_top"
>http://www.tcpdup.org/</A
>.
	Ethereal, another good packet sniffer for UNIX and Win32
	hosts, can be downloaded from <A
HREF="http://www.ethereal.com/"
TARGET="_top"
>http://www.ethereal.com</A
>.
	</P
><P
>	For tracing things on the Microsoft Windows NT, Network Monitor 
	(aka. netmon) is available on the Microsoft Developer Network CD's, 
	the Windows NT Server install CD and the SMS CD's.  The version of 
	netmon that ships with SMS allows for dumping packets between any two 
	computers (ie. placing the network interface in promiscuous mode).  
	The version on the NT Server install CD will only allow monitoring 
	of network traffic directed to the local NT box and broadcasts on the 
	local subnet.  Be aware that Ethereal can read and write netmon 
	formatted files.
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>How do I install 'Network Monitor' on an NT Workstation 
	or a Windows 9x box?</I
>
	</P
><P
>	Installing netmon on an NT workstation requires a couple 
	of steps.  The following are for installing Netmon V4.00.349, which comes 
	with Microsoft Windows NT Server 4.0, on Microsoft Windows NT 
	Workstation 4.0.  The process should be similar for other version of 
	Windows NT / Netmon.  You will need both the Microsoft Windows 
	NT Server 4.0 Install CD and the Workstation 4.0 Install CD.
	</P
><P
>	Initially you will need to install 'Network Monitor Tools and Agent' 
	on the NT Server.  To do this 
	</P
><P
></P
><UL
><LI
><P
>Goto Start - Settings - Control Panel - 
		Network - Services - Add </P
></LI
><LI
><P
>Select the 'Network Monitor Tools and Agent' and 
		click on 'OK'.</P
></LI
><LI
><P
>Click 'OK' on the Network Control Panel.
		</P
></LI
><LI
><P
>Insert the Windows NT Server 4.0 install CD 
		when prompted.</P
></LI
></UL
><P
>	At this point the Netmon files should exist in 
	<TT
CLASS="FILENAME"
>%SYSTEMROOT%\System32\netmon\*.*</TT
>.    
	Two subdirectories exist as well, <TT
CLASS="FILENAME"
>parsers\</TT
> 
	which contains the necessary DLL's for parsing the netmon packet 
	dump, and <TT
CLASS="FILENAME"
>captures\</TT
>.
	</P
><P
>	In order to install the Netmon tools on an NT Workstation, you will 
	first need to install the 'Network  Monitor Agent' from the Workstation 
	install CD.
	</P
><P
></P
><UL
><LI
><P
>Goto Start - Settings - Control Panel - 
		Network - Services - Add</P
></LI
><LI
><P
>Select the 'Network Monitor Agent' and click 
		on 'OK'.</P
></LI
><LI
><P
>Click 'OK' on the Network Control Panel.
		</P
></LI
><LI
><P
>Insert the Windows NT Workstation 4.0 install 
		CD when prompted.</P
></LI
></UL
><P
>	Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* 
	to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set 
	permissions as  you deem appropriate for your site. You will need 
	administrative rights on the NT box to run netmon.
	</P
><P
>	To install Netmon on a Windows 9x box install the network monitor agent 
	from the Windows 9x CD (\admin\nettools\netmon).  There is a readme 
	file located with the netmon driver files on the CD if you need 
	information on how to do this.  Copy the files from a working 
	Netmon installation.
	</P
></LI
><LI
><P
>	The following is a list if helpful URLs and other links:
	</P
><P
></P
><UL
><LI
><P
>Home of Samba site <A
HREF="http://samba.org"
TARGET="_top"
>        http://samba.org</A
>. We have a mirror near you !</P
></LI
><LI
><P
> The <I
CLASS="EMPHASIS"
>Development</I
> document 
	on the Samba mirrors might mention your problem. If so,
	it might mean that the developers are working on it.</P
></LI
><LI
><P
>See how Scott Merrill simulates a BDC behavior at 
        <A
HREF="http://www.skippy.net/linux/smb-howto.html"
TARGET="_top"
>        http://www.skippy.net/linux/smb-howto.html</A
>. </P
></LI
><LI
><P
>Although 2.0.7 has almost had its day as a PDC, David Bannon will
        keep the 2.0.7 PDC pages at <A
HREF="http://bioserve.latrobe.edu.au/samba"
TARGET="_top"
>        http://bioserve.latrobe.edu.au/samba</A
> going for a while yet.</P
></LI
><LI
><P
>Misc links to CIFS information 
        <A
HREF="http://samba.org/cifs/"
TARGET="_top"
>http://samba.org/cifs/</A
></P
></LI
><LI
><P
>NT Domains for Unix <A
HREF="http://mailhost.cb1.com/~lkcl/ntdom/"
TARGET="_top"
>        http://mailhost.cb1.com/~lkcl/ntdom/</A
></P
></LI
><LI
><P
>FTP site for older SMB specs: 
        <A
HREF="ftp://ftp.microsoft.com/developr/drg/CIFS/"
TARGET="_top"
>        ftp://ftp.microsoft.com/developr/drg/CIFS/</A
></P
></LI
></UL
></LI
></UL
><P
></P
><UL
><LI
><P
>	<I
CLASS="EMPHASIS"
>How do I get help from the mailing lists ?</I
>
	</P
><P
>	There are a number of Samba related mailing lists. Go to <A
HREF="http://samba.org"
TARGET="_top"
>http://samba.org</A
>, click on your nearest mirror
	and then click on <B
CLASS="COMMAND"
>Support</B
> and then click on <B
CLASS="COMMAND"
>	Samba related mailing lists</B
>.
	</P
><P
>	For questions relating to Samba TNG go to
	<A
HREF="http://www.samba-tng.org/"
TARGET="_top"
>http://www.samba-tng.org/</A
> 
	It has been requested that you don't post questions about Samba-TNG to the
	main stream Samba lists.</P
><P
>	If you post a message to one of the lists please observe the following guide lines :
	</P
><P
></P
><UL
><LI
><P
> Always remember that the developers are volunteers, they are 
		not paid and they never guarantee to produce a particular feature at 
		a particular time. Any time lines are 'best guess' and nothing more.
		</P
></LI
><LI
><P
> Always mention what version of samba you are using and what 
		operating system its running under. You should probably list the
        relevant sections of your smb.conf file, at least the options 
        in [global] that affect PDC support.</P
></LI
><LI
><P
>In addition to the version, if you obtained Samba via
        CVS mention the date when you last checked it out.</P
></LI
><LI
><P
> Try and make your question clear and brief, lots of long, 
		convoluted questions get deleted before	they are completely read ! 
		Don't post html encoded messages (if you can select colour or font 
		size its html).</P
></LI
><LI
><P
> If you run one of those nifty 'I'm on holidays' things when 
		you are away, make sure its configured	to not answer mailing lists.
		</P
></LI
><LI
><P
> Don't cross post. Work out which is the best list to post to 
		and see what happens, ie don't post to both samba-ntdom and samba-technical.
        Many people active on the lists subscribe to more 
		than one list and get annoyed to see the same message two or more times. 
		Often someone will see a message and thinking it would be better dealt 
		with on another, will forward it on for you.</P
></LI
><LI
><P
>You might include <I
CLASS="EMPHASIS"
>partial</I
>
        log files written at a debug level set to as much as 20.  
        Please don't send the entire log but enough to give the context of the 
        error messages.</P
></LI
><LI
><P
>(Possibly) If you have a complete netmon trace ( from the opening of 
        the pipe to the error ) you can send the *.CAP file as well.</P
></LI
><LI
><P
>Please think carefully before attaching a document to an email.
        Consider pasting the relevant parts into the body of the message. The samba
        mailing lists go to a huge number of people, do they all need a copy of your 
        smb.conf in their attach directory ?</P
></LI
></UL
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>How do I get off the mailing lists ?</I
>
	</P
><P
>To have your name removed from a samba mailing list, go to the
	same place you went to to get on it. Go to <A
HREF="http://lists.samba.org/"
TARGET="_top"
>http://lists.samba.org</A
>, 
	click on your nearest mirror and then click on <B
CLASS="COMMAND"
>Support</B
> and 
	then click on <B
CLASS="COMMAND"
> Samba related mailing lists</B
>. Or perhaps see 
	<A
HREF="http://lists.samba.org/mailman/roster/samba-ntdom"
TARGET="_top"
>here</A
>
	</P
><P
>	Please don't post messages to the list asking to be removed, you will just
	be referred to the above address (unless that process failed in some way...)
	</P
></LI
></UL
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN351"
>Domain Control for Windows 9x/ME</A
></H1
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>The following section contains much of the original 
DOMAIN.txt file previously included with Samba.  Much of 
the material is based on what went into the book Special 
Edition, Using Samba. (Richard Sharpe)</P
></BLOCKQUOTE
></DIV
><P
>A domain and a workgroup are exactly the same thing in terms of network
browsing.  The difference is that a distributable authentication
database is associated with a domain, for secure login access to a
network.  Also, different access rights can be granted to users if they
successfully authenticate against a domain logon server (NT server and 
other systems based on NT server support this, as does at least Samba TNG now).</P
><P
>The SMB client logging on to a domain has an expectation that every other
server in the domain should accept the same authentication information.
Network browsing functionality of domains and workgroups is
identical and is explained in BROWSING.txt. It should be noted, that browsing
is total orthogonal to logon support.</P
><P
>Issues related to the single-logon network model are discussed in this
document.  Samba supports domain logons, network logon scripts, and user
profiles for MS Windows for workgroups and MS Windows 9X clients.</P
><P
>When an SMB client in a domain wishes to logon it broadcast requests for a
logon server.  The first one to reply gets the job, and validates its
password using whatever mechanism the Samba administrator has installed.
It is possible (but very stupid) to create a domain where the user
database is not shared between servers, ie they are effectively workgroup
servers advertising themselves as participating in a domain.  This
demonstrates how authentication is quite different from but closely
involved with domains.</P
><P
>Another thing commonly associated with single-logon domains is remote
administration over the SMB protocol.  Again, there is no reason why this
cannot be implemented with an underlying username database which is
different from the Windows NT SAM.  Support for the Remote Administration
Protocol is planned for a future release of Samba.</P
><P
>Network logon support as discussed in this section is aimed at Window for
Workgroups, and Windows 9X clients. </P
><P
>Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51.
It is possible to specify: the profile location; script file to be loaded
on login; the user's home directory; and for NT a kick-off time could also
now easily be supported. However, there are some differences between Win9X
profile support and WinNT profile support. These are discussed below.</P
><P
>With NT Workstations, all this does not require the use or intervention of
an NT 4.0 or NT 3.51 server: Samba can now replace the logon services
provided by an NT server, to a limited and experimental degree (for example,
running "User Manager for Domains" will not provide you with access to
a domain created by a Samba Server).</P
><P
>With Win95, the help of an NT server can be enlisted, both for profile storage
and for user authentication.  For details on user authentication, see
security_level.txt.  For details on profile storage, see below.</P
><P
>Using these features you can make your clients verify their logon via
the Samba server; make clients run a batch file when they logon to
the network and download their preferences, desktop and start menu.</P
><P
>Before launching into the configuration instructions, it is worthwhile looking
at how a Win9X client performs a logon:</P
><P
></P
><OL
TYPE="1"
><LI
><P
>	The client broadcasts (to the IP broadcast address of the subnet it is in)
	a NetLogon request. This is sent to the NetBIOS address DOMAIN&#60;00&#62; at the
	NetBIOS layer.  The client chooses the first response it receives, which
	contains the NetBIOS name of the logon server to use in the format of 
	\\SERVER.
	</P
></LI
><LI
><P
>	The client then connects to that server, logs on (does an SMBsessetupX) and
	then connects to the IPC$ share (using an SMBtconX).
	</P
></LI
><LI
><P
>	The client then does a NetWkstaUserLogon request, which retrieves the name
	of the user's logon script. 
	</P
></LI
><LI
><P
>	The client then connects to the NetLogon share and searches for this 	
	and if it is found and can be read, is retrieved and executed by the client.
	After this, the client disconnects from the NetLogon share.
	</P
></LI
><LI
><P
>	The client then sends a NetUserGetInfo request to the server, to retrieve
	the user's home share, which is used to search for profiles. Since the
	response to the NetUserGetInfo request does not contain much more 	
	the user's home share, profiles for Win9X clients MUST reside in the user
	home directory.
	</P
></LI
><LI
><P
>	The client then connects to the user's home share and searches for the 
	user's profile. As it turns out, you can specify the users home share as
	a sharename and path. For example, \\server\fred\.profile.
	If the profiles are found, they are implemented.
	</P
></LI
><LI
><P
>	The client then disconnects from the user's home share, and reconnects to
	the NetLogon share and looks for CONFIG.POL, the policies file. If this is
	found, it is read and implemented.
	</P
></LI
></OL
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN381"
>Configuration Instructions:	Network Logons</A
></H2
><P
>To use domain logons and profiles you need to do the following:</P
><P
></P
><OL
TYPE="1"
><LI
><P
>	Create a share called [netlogon] in your smb.conf. This share should
	be readable by all users, and probably should not be writeable. This
	share will hold your network logon scripts, and the CONFIG.POL file
	(Note: for details on the CONFIG.POL file, how to use it, what it is,
	refer to the Microsoft Windows NT Administration documentation.
	The format of these files is not known, so you will need to use
	Microsoft tools).
	</P
><P
>	For example I have used:
	</P
><P
><PRE
CLASS="PROGRAMLISTING"
>[netlogon]
     path = /data/dos/netlogon
     writeable = no
     guest ok = no</PRE
></P
><P
>	Note that it is important that this share is not writeable by ordinary
	users, in a secure environment: ordinary users should not be allowed
	to modify or add files that another user's computer would then download
	when they log in.
	</P
></LI
><LI
><P
>	in the [global] section of smb.conf set the following:
	</P
><P
><PRE
CLASS="PROGRAMLISTING"
>domain logons = yes
logon script = %U.bat
	</PRE
></P
><P
>	The choice of batch file is, of course, up to you. The above would
	give each user a separate batch file as the %U will be changed to
	their username automatically. The other standard % macros may also be
	used. You can make the batch files come from a subdirectory by using
	something like:
	</P
><P
><PRE
CLASS="PROGRAMLISTING"
>logon script = scripts\%U.bat
	</PRE
></P
></LI
><LI
><P
>	create the batch files to be run when the user logs in. If the batch
	file doesn't exist then no batch file will be run. 
	</P
><P
>	In the batch files you need to be careful to use DOS style cr/lf line
	endings. If you don't then DOS may get confused. I suggest you use a
	DOS editor to remotely edit the files if you don't know how to produce
	DOS style files under unix.
	</P
></LI
><LI
><P
>	Use smbclient with the -U option for some users to make sure that
	the \\server\NETLOGON share is available, the batch files are
	visible and they are readable by the users.
	</P
></LI
><LI
><P
>	you will probabaly find that your clients automatically mount the
	\\SERVER\NETLOGON share as drive z: while logging in. You can put
	some useful programs there to execute from the batch files.
	</P
></LI
></OL
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>security mode and master browsers</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>There are a few comments to make in order to tie up some 
loose ends.  There has been much debate over the issue of whether
or not it is ok to configure Samba as a Domain Controller in security
modes other than <TT
CLASS="CONSTANT"
>USER</TT
>.  The only security mode 
which  will not work due to technical reasons is <TT
CLASS="CONSTANT"
>SHARE</TT
>
mode security.  <TT
CLASS="CONSTANT"
>DOMAIN</TT
> and <TT
CLASS="CONSTANT"
>SERVER</TT
>
mode security is really just a variation on SMB user level security.</P
><P
>Actually, this issue is also closer tied to the debate on whether 
or not Samba must be the domain master browser for its workgroup
when operating as a DC.  While it may technically be possible
to configure a server as such (after all, browsing and domain logons
are two distinctly different functions), it is not a good idea to
so.  You should remember that the DC must register the DOMAIN#1b netbios 
name.  This is the name used by Windows clients to locate the DC.
Windows clients do not distinguish between the DC and the DMB.
For this reason, it is very wise to configure the Samba DC as the DMB.</P
><P
>Now back to the issue of configuring a Samba DC to use a mode other
than "security = user".  If a Samba host is configured to use 
another SMB server or DC in order to validate user connection 
requests, then it is a fact that some other machine on the network 
(the "password server") knows more about user than the Samba host.
99% of the time, this other host is a domain controller.  Now 
in order to operate in domain mode security, the "workgroup" parameter
must be set to the name of the Windows NT domain (which already 
has a domain controller, right?)</P
><P
>Therefore configuring a Samba box as a DC for a domain that 
already by definition has a PDC is asking for trouble.
Therefore, you should always configure the Samba DC to be the DMB
for its domain.</P
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN415"
>Configuration Instructions:	Setting up Roaming User Profiles</A
></H2
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Warning</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
><I
CLASS="EMPHASIS"
>NOTE!</I
> Roaming profiles support is different 
for Win9X and WinNT.</P
></TD
></TR
></TABLE
></DIV
><P
>Before discussing how to configure roaming profiles, it is useful to see how
Win9X and WinNT clients implement these features.</P
><P
>Win9X clients send a NetUserGetInfo request to the server to get the user's
profiles location. However, the response does not have room for a separate 
profiles location field, only the users home share. This means that Win9X 
profiles are restricted to being in the user's home directory.</P
><P
>WinNT clients send a NetSAMLogon RPC request, which contains many fields, 
including a separate field for the location of the user's profiles. 
This means that support for profiles is different for Win9X and WinNT.</P
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN423"
>Windows NT Configuration</A
></H3
><P
>To support WinNT clients, inn the [global] section of smb.conf set the
following (for example):</P
><P
><PRE
CLASS="PROGRAMLISTING"
>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE
></P
><P
>The default for this option is \\%N\%U\profile, namely
\\sambaserver\username\profile.  The \\N%\%U service is created
automatically by the [homes] service.
If you are using a samba server for the profiles, you _must_ make the
share specified in the logon path browseable. </P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>[lkcl 26aug96 - we have discovered a problem where Windows clients can
maintain a connection to the [homes] share in between logins.  The
[homes] share must NOT therefore be used in a profile path.]</P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN431"
>Windows 9X Configuration</A
></H3
><P
>To support Win9X clients, you must use the "logon home" parameter. Samba has
now been fixed so that "net use/home" now works as well, and it, too, relies
on the "logon home" parameter.</P
><P
>By using the logon home parameter, you are restricted to putting Win9X 
profiles in the user's home directory.   But wait! There is a trick you 
can use. If you set the following in the [global] section of your 
smb.conf file:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>logon home = \\%L\%U\.profiles</PRE
></P
><P
>then your Win9X clients will dutifully put their clients in a subdirectory
of your home directory called .profiles (thus making them hidden).</P
><P
>Not only that, but 'net use/home' will also work, because of a feature in 
Win9X. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
specified \\%L\%U for "logon home".</P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN439"
>Win9X and WinNT Configuration</A
></H3
><P
>You can support profiles for both Win9X and WinNT clients by setting both the
"logon home" and "logon path" parameters. For example:</P
><P
><PRE
CLASS="PROGRAMLISTING"
>logon home = \\%L\%U\.profiles
logon path = \\%L\profiles\%U</PRE
></P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>I have not checked what 'net use /home' does on NT when "logon home" is
set as above.</P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN446"
>Windows 9X Profile Setup</A
></H3
><P
>When a user first logs in on Windows 9X, the file user.DAT is created,
as are folders "Start Menu", "Desktop", "Programs" and "Nethood".  
These directories and their contents will be merged with the local
versions stored in c:\windows\profiles\username on subsequent logins,
taking the most recent from each.  You will need to use the [global]
options "preserve case = yes", "short case preserve = yes" and
"case sensitive = no" in order to maintain capital letters in shortcuts
in any of the profile folders.</P
><P
>The user.DAT file contains all the user's preferences.  If you wish to
enforce a set of preferences, rename their user.DAT file to user.MAN,
and deny them write access to this file.</P
><P
></P
><OL
TYPE="1"
><LI
><P
>	On the Windows 95 machine, go to Control Panel | Passwords and
	select the User Profiles tab.  Select the required level of
	roaming preferences.  Press OK, but do _not_ allow the computer
	to reboot.
	</P
></LI
><LI
><P
>	On the Windows 95 machine, go to Control Panel | Network |
	Client for Microsoft Networks | Preferences.  Select 'Log on to
	NT Domain'.  Then, ensure that the Primary Logon is 'Client for
	Microsoft Networks'.  Press OK, and this time allow the computer
	to reboot.
	</P
></LI
></OL
><P
>Under Windows 95, Profiles are downloaded from the Primary Logon.
If you have the Primary Logon as 'Client for Novell Networks', then
the profiles and logon script will be downloaded from your Novell
Server.  If you have the Primary Logon as 'Windows Logon', then the
profiles will be loaded from the local machine - a bit against the
concept of roaming profiles, if you ask me.</P
><P
>You will now find that the Microsoft Networks Login box contains
[user, password, domain] instead of just [user, password].  Type in
the samba server's domain name (or any other domain known to exist,
but bear in mind that the user will be authenticated against this
domain and profiles downloaded from it, if that domain logon server
supports it), user name and user's password.</P
><P
>Once the user has been successfully validated, the Windows 95 machine
will inform you that 'The user has not logged on before' and asks you
if you wish to save the user's preferences?  Select 'yes'.</P
><P
>Once the Windows 95 client comes up with the desktop, you should be able
to examine the contents of the directory specified in the "logon path"
on the samba server and verify that the "Desktop", "Start Menu",
"Programs" and "Nethood" folders have been created.</P
><P
>These folders will be cached locally on the client, and updated when
the user logs off (if you haven't made them read-only by then :-).
You will find that if the user creates further folders or short-cuts,
that the client will merge the profile contents downloaded with the
contents of the profile directory already on the local client, taking
the newest folders and short-cuts from each set.</P
><P
>If you have made the folders / files read-only on the samba server,
then you will get errors from the w95 machine on logon and logout, as
it attempts to merge the local and the remote profile.  Basically, if
you have any errors reported by the w95 machine, check the unix file
permissions and ownership rights on the profile directory contents,
on the samba server.</P
><P
>If you have problems creating user profiles, you can reset the user's
local desktop cache, as shown below.  When this user then next logs in,
they will be told that they are logging in "for the first time".</P
><P
></P
><OL
TYPE="1"
><LI
><P
>	instead of logging in under the [user, password, domain] dialog,
	press escape.
	</P
></LI
><LI
><P
>	run the regedit.exe program, and look in:
	</P
><P
>	HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList
	</P
><P
>	you will find an entry, for each user, of ProfilePath.  Note the
	contents of this key (likely to be c:\windows\profiles\username),
	then delete the key ProfilePath for the required user.
	</P
><P
>	[Exit the registry editor].
	</P
></LI
><LI
><P
>	<I
CLASS="EMPHASIS"
>WARNING</I
> - before deleting the contents of the 
	directory listed in
   the ProfilePath (this is likely to be c:\windows\profiles\username),
   ask them if they have any important files stored on their desktop
   or in their start menu.  delete the contents of the directory
   ProfilePath (making a backup if any of the files are needed).
	</P
><P
>   This will have the effect of removing the local (read-only hidden
   system file) user.DAT in their profile directory, as well as the
   local "desktop", "nethood", "start menu" and "programs" folders.
	</P
></LI
><LI
><P
>	search for the user's .PWL password-cacheing file in the c:\windows
	directory, and delete it.
	</P
></LI
><LI
><P
>	log off the windows 95 client.
	</P
></LI
><LI
><P
>	check the contents of the profile path (see "logon path" described
	above), and delete the user.DAT or user.MAN file for the user,
	making a backup if required.  
	</P
></LI
></OL
><P
>If all else fails, increase samba's debug log levels to between 3 and 10,
and / or run a packet trace program such as tcpdump or netmon.exe, and
look for any error reports.</P
><P
>If you have access to an NT server, then first set up roaming profiles
and / or netlogons on the NT server.  Make a packet trace, or examine
the example packet traces provided with NT server, and see what the
differences are with the equivalent samba trace.</P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN482"
>Windows NT Workstation 4.0</A
></H3
><P
>When a user first logs in to a Windows NT Workstation, the profile
NTuser.DAT is created.  The profile location can be now specified
through the "logon path" parameter.  </P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>[lkcl 10aug97 - i tried setting the path to
\\samba-server\homes\profile, and discovered that this fails because
a background process maintains the connection to the [homes] share
which does _not_ close down in between user logins.  you have to
have \\samba-server\%L\profile, where user is the username created
from the [homes] share].</P
></BLOCKQUOTE
></DIV
><P
>There is a parameter that is now available for use with NT Profiles:
"logon drive".  This should be set to "h:" or any other drive, and
should be used in conjunction with the new "logon home" parameter.</P
><P
>The entry for the NT 4.0 profile is a _directory_ not a file.  The NT
help on profiles mentions that a directory is also created with a .PDS
extension.  The user, while logging in, must have write permission to
create the full profile path (and the folder with the .PDS extension)
[lkcl 10aug97 - i found that the creation of the .PDS directory failed,
and had to create these manually for each user, with a shell script.
also, i presume, but have not tested, that the full profile path must
be browseable just as it is for w95, due to the manner in which they
attempt to create the full profile path: test existence of each path
component; create path component].</P
><P
>In the profile directory, NT creates more folders than 95.  It creates
"Application Data" and others, as well as "Desktop", "Nethood",
"Start Menu" and "Programs".  The profile itself is stored in a file
NTuser.DAT.  Nothing appears to be stored in the .PDS directory, and
its purpose is currently unknown.</P
><P
>You can use the System Control Panel to copy a local profile onto
a samba server (see NT Help on profiles: it is also capable of firing
up the correct location in the System Control Panel for you).  The
NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN
turns a profile into a mandatory one.</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>[lkcl 10aug97 - i notice that NT Workstation tells me that it is
downloading a profile from a slow link.  whether this is actually the
case, or whether there is some configuration issue, as yet unknown,
that makes NT Workstation _think_ that the link is a slow one is a
matter to be resolved].</P
><P
>[lkcl 20aug97 - after samba digest correspondance, one user found, and
another confirmed, that profiles cannot be loaded from a samba server
unless "security = user" and "encrypt passwords = yes" (see the file
ENCRYPTION.txt) or "security = server" and "password server = ip.address.
of.yourNTserver" are used.  either of these options will allow the NT
workstation to access the samba server using LAN manager encrypted
passwords, without the user intervention normally required by NT
workstation for clear-text passwords].</P
><P
>[lkcl 25aug97 - more comments received about NT profiles: the case of
the profile _matters_.  the file _must_ be called NTuser.DAT or, for
a mandatory profile, NTuser.MAN].</P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN495"
>Windows NT Server</A
></H3
><P
>There is nothing to stop you specifying any path that you like for the
location of users' profiles.  Therefore, you could specify that the
profile be stored on a samba server, or any other SMB server, as long as
that SMB server supports encrypted passwords.</P
></DIV
><DIV
CLASS="SECT3"
><HR><H3
CLASS="SECT3"
><A
NAME="AEN498"
>Sharing Profiles between W95 and NT Workstation 4.0</A
></H3
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Potentially outdated or incorrect material follows</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>I think this is all bogus, but have not deleted it. (Richard Sharpe)</P
></TD
></TR
></TABLE
></DIV
><P
>The default logon path is \\%N\U%.  NT Workstation will attempt to create
a directory "\\samba-server\username.PDS" if you specify the logon path
as "\\samba-server\username" with the NT User Manager.  Therefore, you
will need to specify (for example) "\\samba-server\username\profile".
NT 4.0 will attempt to create "\\samba-server\username\profile.PDS", which
is more likely to succeed.</P
><P
>If you then want to share the same Start Menu / Desktop with W95, you will
need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97
this has its drawbacks: i created a shortcut to telnet.exe, which attempts
to run from the c:\winnt\system32 directory.  this directory is obviously
unlikely to exist on a Win95-only host].</P
><P
>&#13;If you have this set up correctly, you will find separate user.DAT and
NTuser.DAT files in the same profile directory.</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>[lkcl 25aug97 - there are some issues to resolve with downloading of
NT profiles, probably to do with time/date stamps.  i have found that
NTuser.DAT is never updated on the workstation after the first time that
it is copied to the local workstation profile directory.  this is in
contrast to w95, where it _does_ transfer / update profiles correctly].</P
></BLOCKQUOTE
></DIV
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN508"
>DOMAIN_CONTROL.txt : Windows NT Domain Control &#38; Samba</A
></H1
><DIV
CLASS="WARNING"
><P
></P
><TABLE
CLASS="WARNING"
BORDER="1"
WIDTH="100%"
><TR
><TD
ALIGN="CENTER"
><B
>Possibly Outdated Material</B
></TD
></TR
><TR
><TD
ALIGN="LEFT"
><P
>	This appendix was originally authored by John H Terpstra of 
	the Samba Team and is included here for posterity.
	</P
></TD
></TR
></TABLE
></DIV
><P
><I
CLASS="EMPHASIS"
>NOTE :</I
> 
The term "Domain Controller" and those related to it refer to one specific
method of authentication that can underly an SMB domain. Domain Controllers
prior to Windows NT Server 3.1 were sold by various companies and based on 
private extensions to the LAN Manager 2.1 protocol. Windows NT introduced
Microsoft-specific ways of distributing the user authentication database.
See DOMAIN.txt for examples of how Samba can participate in or create
SMB domains based on shared authentication database schemes other than the 
Windows NT SAM.</P
><P
>Windows NT Server can be installed as either a plain file and print server
(WORKGROUP workstation or server) or as a server that participates in Domain
Control (DOMAIN member, Primary Domain controller or Backup Domain controller).
The same is true for OS/2 Warp Server, Digital Pathworks and other similar
products, all of which can participate in Domain Control along with Windows NT.</P
><P
>To many people these terms can be confusing, so let's try to clear the air.</P
><P
>Every Windows NT system (workstation or server) has a registry database.
The registry contains entries that describe the initialization information
for all services (the equivalent of Unix Daemons) that run within the Windows
NT environment. The registry also contains entries that tell application
software where to find dynamically loadable libraries that they depend upon.
In fact, the registry contains entries that describes everything that anything
may need to know to interact with the rest of the system.</P
><P
>The registry files can be located on any Windows NT machine by opening a
command prompt and typing:</P
><P
><TT
CLASS="PROMPT"
>C:\WINNT\&#62;</TT
> dir %SystemRoot%\System32\config</P
><P
>The environment variable %SystemRoot% value can be obtained by typing:</P
><P
><TT
CLASS="PROMPT"
>C:\WINNT&#62;</TT
>echo %SystemRoot%</P
><P
>The active parts of the registry that you may want to be familiar with are
the files called: default, system, software, sam and security.</P
><P
>In a domain environment, Microsoft Windows NT domain controllers participate
in replication of the SAM and SECURITY files so that all controllers within
the domain have an exactly identical copy of each.</P
><P
>The Microsoft Windows NT system is structured within a security model that
says that all applications and services must authenticate themselves before
they can obtain permission from the security manager to do what they set out
to do.</P
><P
>The Windows NT User database also resides within the registry. This part of
the registry contains the user's security identifier, home directory, group
memberships, desktop profile, and so on.</P
><P
>Every Windows NT system (workstation as well as server) will have its own
registry. Windows NT Servers that participate in Domain Security control
have a database that they share in common - thus they do NOT own an
independent full registry database of their own, as do Workstations and
plain Servers.</P
><P
>The User database is called the SAM (Security Access Manager) database and
is used for all user authentication as well as for authentication of inter-
process authentication (ie: to ensure that the service action a user has
requested is permitted within the limits of that user's privileges).</P
><P
>The Samba team have produced a utility that can dump the Windows NT SAM into 
smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and
/pub/samba/pwdump on your nearest Samba mirror for the utility. This 
facility is useful but cannot be easily used to implement SAM replication
to Samba systems.</P
><P
>Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
can participate in a Domain security system that is controlled by Windows NT
servers that have been correctly configured. At most every domain will have
ONE Primary Domain Controller (PDC). It is desirable that each domain will
have at least one Backup Domain Controller (BDC).</P
><P
>The PDC and BDCs then participate in replication of the SAM database so that
each Domain Controlling participant will have an up to date SAM component
within its registry.</P
></DIV
></DIV
></BODY
></HTML
>