summaryrefslogtreecommitdiff
path: root/docs/textdocs/DOMAIN.txt
blob: ba420e61113af6ac1c0116a5b199663b6f13ac4c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
Samba now supports domain logons, network logon scripts and user profiles.
The support is still experimental, but it seems to work.

The support is also not complete. Samba does not yet support the
sharing of the SAM database with other systems yet, or remote
administration. Support for these kind of things should be added
sometime in the future.

The domain support only works for WfWg and Win95 clients. Support for
NT and OS/2 clients is still being worked on and currently does not
work. 

Using these features you can make your clients verify their logon via
the Samba server, make clients run a batch file when they logon to
the network and download their preferences, desktop and start menu.


To use domain logons and profiles you need to do the following:

1) Setup nmbd and smbd and configure the smb.conf so that Samba is
acting as the master browser. See INSTALL.txt and BROWSING.txt for
details. 

2) create a share called [netlogon] in your smb.conf. This share should
be readable by all users, and probably should not be writeable. This
share will hold your network logon scripts, and the CONFIG.POL file
(Note: for details on the CONFIG.POL file, refer to the Microsoft
Windows NT Administration documentation.  The format of these files
is not known, so you will need to use Microsoft tools.)

For example I have used:

   [netlogon]
    path = /data/dos/netlogon
    writeable = no
    guest ok = yes

Note that it is important that this share is not writeable by ordinary
users, in a secure environment: ordinary users should not be allowed
to modify or add files that another user's computer would then download
when they log in.

3) in the [global] section of smb.conf set the following:

   domain logons = yes
   logon script = %U.bat

the choice of batch file is, of course, up to you. The above would
give each user a separate batch file as the %U will be changed to
their username automatically. The other standard % macros may also be
used. You can make the batch files come from a subdirectory by using
soemthing like:

   logon script = scripts\%U.bat

4) create the batch files to be run when the user logs in. If the batch
file doesn't exist then no batch file will be run. 

In the batch files you need to be careful to use DOS style cr/lf line
endings. If you don't then DOS may get confused. I suggest you use a
DOS editor to remotely edit the files if you don't know how to produce
DOS style files under unix.

5) Use smbclient with the -U option for some users to make sure that
the \\server\NETLOGON share is available, the batch files are visible
and they are readable by the users.

6) you will probabaly find that your clients automatically mount the
\\SERVER\NETLOGON share as drive z: while logging in. You can put some
useful programs there to execute from the batch files.

NOTE: You must be using "security = user" or "security = server" for
domain logons to work correctly. Share level security won't work
correctly.


User Profiles

1) in the [global] section of smb.conf set the following:

  logon path = \\profileserver\profileshare\profilepath\%U

The default for this option is \\%L\%U, namely \\sambaserver\username,
The \\L%\%U services is created automatically by the [homes] service.

If you are using a samba server for the profiles, you _must_ make the
share specified in the logon path browseable.  Windows 95 appears to
check that it can see the share and any subdirectories within that share
specified by the logon path option, rather than just connecting straight
away.  

When a user first logs in on Windows 95, the file user.dat is created,
as are folders "start menu", "desktop", "programs" and "nethood".  
These directories and their contents will be merged with the local
versions stored in c:\windows\profiles\username on subsequent logins,
taking the most recent from each.

The user.dat file contains all the user's preferences.  If you wish to
enforce a set of preferences, rename their user.dat file to user.man,
and deny them write access to the file.

2) On the Windows 95 machine, go to Control Panel | Passwords and
   select the User Profiles tab.  Select the required level of
   roaming preferences.  Press OK, but do _not_ allow the computer
   to reboot.

3) On the Windows 95 machine, go to Control Panel | Network |
   Client for Microsoft Networks | Preferences.  Select 'Log on to
   NT Domain'.  Press OK, and this time allow the computer to reboot.

You will now find that the Microsoft Networks Login box contains
[user, password, domain] instead of just [user, password].  Type in
the samba server's domain name (or any other domain known to exist),
user name and user's password.

Once the user has been successfully validated, the Windows 95 machine
will inform you that 'The user has not logged on before' and asks you
if you wish to save the user's preferences?  Select 'yes'.

Once the Windows 95 client comes up with the desktop, you should be able
to examine the contents of the directory specified in the "logon path"
(the default is \\samba_server\username) and verify that the "desktop",
"start menu", "programs" and "nethood" folders have been created.

These folders will be cached locally on the client, and updated when
the user logs off (if you haven't made them read-only by then :-).


If you have problems creating user profiles, you can reset the user's
local desktop cache, as shown below.  When this user then next logs in,
they will be told that they are logging in "for the first time".


1) instead of logging in under the [user, password, domain] dialog],
   press escape.

2) run the regedit.exe program, and look in:

     HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList

   you will find an entry, for each user, of ProfilePath.  Note the
   contents of this key (likely to be c:\windows\profiles\username),
   then delete the key ProfilePath for the required user.

   [Exit the registry editor].

3) WARNING - before deleting the contents of the directory listed in
   the ProfilePath (this is likely to be c:\windows\profiles\username),
   ask them if they have any important files stored on their desktop
   or in their start menu.  delete the contents of the directory
   ProfilePath (making a backup if any of the files are needed).

   This will have the effect of removing the local (read-only hidden
   system file) user.dat in their profile directory, as well as the
   local "desktop", "nethood", "start menu" and "programs" folders.

4) search for the user's .PWL password-cacheing file in the c:\windows
   directory, and delete it.

5) log off the windows 95 client.

6) check the contents of the profile path (see "logon path" described
   above), and delete the user.dat or user.man file for the user,
   making a backup if required.


If all else fails, increase samba's debug log levels to between 3 and 10,
and / or run a packet trace program such as tcpdump or netmon.exe, and
look for any error reports.