summaryrefslogtreecommitdiff
path: root/docs/textdocs/NTDOMAIN.txt
blob: 1439b9dd9e4f8e9261b2a51f16289ed9cbcd1d54 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
!==
!== NTDOMAIN.txt for Samba release 2.0.0-alpha1 31 Aug 1998
!==
Contributor:	Luke Kenneth Casson Leighton (samba-bugs@samba.anu.edu.au)
		Copyright (C) 1997 Luke Kenneth Casson Leighton
Created:	October 20, 1997
Updated:	October 29, 1997

Subject:	NT Domain Logons
===========================================================================

As of 1.9.18alpha1, Samba supports logins for NT 3.51 and 4.0 Workstations,
without the need, use or intervention of NT Server.  This document describes
how to set this up.  Over the continued development of the 1.9.18alpha
series, this process (and therefore this document) should become simpler.

One useful thing to do is to get this version of Samba up and running
with Win95 profiles, as you would for the current stable version of
Samba (currently at 1.9.17p4), and is fully documented.  You will need
to set up encrypted passwords.  Even if you don't have any Win95 machines,
using your Samba Server to store the profile for one of your NT Workstation
users is a good test that you have 1.9.18alpha1 correctly configured *prior*
to attempting NT Domain Logons.

The support is still experimental, so should be used at your own risk.

NT is not as robust as you might have been led to believe: during the
development of the Domain Logon Support, one person reported having to
reinstall NT from scratch: their workstation had become totally unuseable.

[further reports on ntsec@iss.net by independent administrators showing
 similar symptoms lead us to believe that the SAM database file may be
 corruptible.  this _is_ recoverable (or, at least the machine is accessible),
 by deleting the SAM file, under which circumstances all user account details
 are lost, but at least the Administrator can log in with a blank password.
 this is *not* possible except if the NT system is installed in a FAT
 partition.]

This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.


Domain Logons using latest cvs source
=====================================

1) compile samba with -DNTDOMAIN

2) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
   of date: you no longer need the DES libraries, but other than that,
   ENCRYPTION.txt is current).

   at this point, you ought to test that your samba server is accessible
   correctly with encrypted passwords, before progressing with any of the
   NT workstation-specific bits: it's up to you.

3) [ for each workstation, add a line to smbpasswd with a username of MACHINE$
     and a password of "machine".  this process will be automated in further
     releases.  lkcl02nov97 - done, as of 1.9.18alpha11!  added new options
     "domain hosts allow/deny" too :-) ]

4) if using NT server to log in, run the User Manager for Domains, and
   add the capability to "Log in Locally" to the policies, which you would
   have to do even if you were logging in to another NT PDC instead of a
   Samba PDC.

5) set up the following parameters in smb.conf

;	substitute your workgroup here
	workgroup = SAMBA

;	DO NOT add the redundant "domain sid = " parameter as this has
;	been superseded by code that automatically generates a random
;	sid for you.
;	domain sid = redundant.

;	tells workstations to use SAMBA as its Primary Domain Controller.
	domain logons = yes

6) make sure samba is running before the next step is carried out.  if
   this is your first time, just for fun you might like to switch the
   debug log level to about 10.  the NT pipes produces some very pretty
   output when decoding requests and generating responses, which would
   be particularly useful to see in tcpdump at some point.

7) In the NT Network Settings, change the domain to SAMBA.  Do
   not attempt to create an account using the other part of the dialog:
   it will fail at present.

   You should get a wonderful message saying "Welcome to the SAMBA Domain."

   If you don't, then please first increase your debug log levels and also
   get a tcpdump (or preferably NetMonitor) trace and examine it carefully.
   You should see a NETLOGON, a SAMLOGON on UDP port 138.  If you don't,
   then you probably don't have "domain logons = yes" or there is some other
   problem in resolving the NetBIOS name SAMBA<1c>.

   On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one
   for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE
   or two.  

   You may see a pipe connection to a wksta service being refused: this
   is acceptable, we have found.  You may also see a "Net Server Get Info"
   being issued on the srvsvc pipe.

   Assuming you got the Welcome message, go through the obligatory reboot...

8) When pressing Ctrl-Alt-Delete, the NT login box should have three entries.
   If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete
   and the appearance of this login dialog, then there might be a problem:
   at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request

   The domain box should have two entries: the hostname and the SAMBA domain.
   Any local accounts are under the hostname domain, from which you will be
   able to shut down the machine etc.  At present, we do not specify that
   the NT user logging in is a member of any groups, so will have no
   priveleges, including the ability to shut down the machine [lkcl02nov97 -
   done, as of samba-1.9.18alpha3!  see "domain admin/guest users" and
   "domain groups" parameters].
   
   Select the SAMBA domain, and type in a valid username and password for
   which there is a valid entry in the samba server's smbpasswd LM/NT OWF
   database.  At present, the password is ignored, to allow access to the
   domain, but *not* ignored for accesses to Samba's SMB services: that's
   completely separate from the SAM Logon process.  Even if you log in a
   user to a domain, your users will still need to connect to Samba SMB
   shares with valid username / passwords, for that share.

   You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
   and LSA_SAM_LOGON.  The SAM Logon will be particularly large (the response
   can be approximately 600 bytes) as it contains user info.

   Also, there will probably be a "Net Server Get Info" and a "Net Share Enum"
   amongst this lot.  If the SAM Logon is successful, the dialog should
   disappear, and a standard SMB connection established to download the
   profile specified in the SAM Logon (if it was).

   At this point, you _may_ encounter difficulties in creating a remote
   profile, and the login may terminate (generating an LSA_SAM_LOGOFF).  If
   this occurs, then either find an existing profile on the samba server and
   copy it into the location specified by the "logon path" smb.conf parameter
   for the user logging in, or log in on the local machine, and use the
   System | Profiles control panel to make a copy of the _local_ profile onto
   the samba server.  This process is described and documented in the NT
   Help Files.

9) Play around.  Look at the Samba Server: see if it can be found in the
   browse lists.  Check that it is accessible; run some applications.
   Generally stress things.  Laugh a lot.  Logout of the NT machine
   (generating an LSA_SAM_LOGOFF) and log back in again.  Try logging in
   two users simultaneously.  Try logging the same user in twice.
   Make Samba fall over, and then send bug reports to us, with NTDOM: at
   the start of the subject line, as "samba-bugs@samba.anu.edu.au".

Your reports, testing, patches, criticism and encouragement will help us
get this right.