1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
!==
!== NTDOMAIN.txt for Samba release 1.9.18 08 Jan 1998
!==
Contributor: Luke Kenneth Casson Leighton (samba-bugs@samba.anu.edu.au)
Copyright (C) 1997 Luke Kenneth Casson Leighton
Created: October 20, 1997
Updated: October 29, 1997
Subject: NT Domain Logons
===========================================================================
As of 1.9.18alpha1, Samba supports logins for NT 3.51 and 4.0 Workstations,
without the need, use or intervention of NT Server. This document describes
how to set this up. Over the continued development of the 1.9.18alpha
series, this process (and therefore this document) should become simpler.
One useful thing to do is to get this version of Samba up and running
with Win95 profiles, as you would for the current stable version of
Samba (currently at 1.9.17p4), and is fully documented. You will need
to set up encrypted passwords. Even if you don't have any Win95 machines,
using your Samba Server to store the profile for one of your NT Workstation
users is a good test that you have 1.9.18alpha1 correctly configured *prior*
to attempting NT Domain Logons.
The support is still experimental, so should be used at your own risk.
NT is not as robust as you might have been led to believe: during the
development of the Domain Logon Support, one person reported having to
reinstall NT from scratch: their workstation had become totally unuseable.
[further reports on ntsec@iss.net by independent administrators showing
similar symptoms lead us to believe that the SAM database file may be
corruptible. this _is_ recoverable (or, at least the machine is accessible),
by deleting the SAM file, under which circumstances all user account details
are lost, but at least the Administrator can log in with a blank password.
this is *not* possible except if the NT system is installed in a FAT
partition.]
This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
Domain Logons using 1.9.18alpha1
================================
1) compile samba with -DNTDOMAIN
2) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
of date: you no longer need the DES libraries, but other than that,
ENCRYPTION.txt is current).
at this point, you ought to test that your samba server is accessible
correctly with encrypted passwords, before progressing with any of the
NT workstation-specific bits: it's up to you.
3) [ for each workstation, add a line to smbpasswd with a username of MACHINE$
and a password of "machine". this process will be automated in further
releases. lkcl02nov97 - done, as of 1.9.18alpha11! added new options
"domain hosts allow/deny" too :-) ]
4) if using NT server to log in, run the User Manager for Domains, and
add the capability to "Log in Locally" to the policies, which you would
have to do even if you were logging in to another NT PDC instead of a
Samba PDC.
5) set up the following parameters in smb.conf
; substitute your workgroup here
workgroup = SAMBA
; a description of domain sids can be found elsewhere.
; you **MUST** begin the domain SID with S-1-5-21.
; the rest is up to you.
domain sid = S-1-5-21-123-456-789-123
; tells workstations to use SAMBA as its Primary Domain Controller.
domain logons = yes
6) make sure samba is running before the next step is carried out. if
this is your first time, just for fun you might like to switch the
debug log level to about 10. the NT pipes produces some very pretty
output when decoding requests and generating responses, which would
be particularly useful to see in tcpdump at some point.
7) In the NT Network Settings, change the domain to SAMBA. Do
not attempt to create an account using the other part of the dialog:
it will fail at present.
You should get a wonderful message saying "Welcome to the SAMBA Domain."
If you don't, then please first increase your debug log levels and also
get a tcpdump (or preferably NetMonitor) trace and examine it carefully.
You should see a NETLOGON, a SAMLOGON on UDP port 138. If you don't,
then you probably don't have "domain logons = yes" or there is some other
problem in resolving the NetBIOS name SAMBA<1c>.
On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one
for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE
or two.
You may see a pipe connection to a wksta service being refused: this
is acceptable, we have found. You may also see a "Net Server Get Info"
being issued on the srvsvc pipe.
Assuming you got the Welcome message, go through the obligatory reboot...
8) When pressing Ctrl-Alt-Delete, the NT login box should have three entries.
If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete
and the appearance of this login dialog, then there might be a problem:
at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request
The domain box should have two entries: the hostname and the SAMBA domain.
Any local accounts are under the hostname domain, from which you will be
able to shut down the machine etc. At present, we do not specify that
the NT user logging in is a member of any groups, so will have no
priveleges, including the ability to shut down the machine [lkcl02nov97 -
done, as of samba-1.9.18alpha3! see "domain admin/guest users" and
"domain groups" parameters].
Select the SAMBA domain, and type in a valid username and password for
which there is a valid entry in the samba server's smbpasswd LM/NT OWF
database. At present, the password is ignored, to allow access to the
domain, but *not* ignored for accesses to Samba's SMB services: that's
completely separate from the SAM Logon process. Even if you log in a
user to a domain, your users will still need to connect to Samba SMB
shares with valid username / passwords, for that share.
You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response
can be approximately 600 bytes) as it contains user info.
Also, there will probably be a "Net Server Get Info" and a "Net Share Enum"
amongst this lot. If the SAM Logon is successful, the dialog should
disappear, and a standard SMB connection established to download the
profile specified in the SAM Logon (if it was).
At this point, you _may_ encounter difficulties in creating a remote
profile, and the login may terminate (generating an LSA_SAM_LOGOFF). If
this occurs, then either find an existing profile on the samba server and
copy it into the location specified by the "logon path" smb.conf parameter
for the user logging in, or log in on the local machine, and use the
System | Profiles control panel to make a copy of the _local_ profile onto
the samba server. This process is described and documented in the NT
Help Files.
9) Play around. Look at the Samba Server: see if it can be found in the
browse lists. Check that it is accessible; run some applications.
Generally stress things. Laugh a lot. Logout of the NT machine
(generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
two users simultaneously. Try logging the same user in twice.
Make Samba fall over, and then send bug reports to us, with NTDOM: at
the start of the subject line, as "samba-bugs@samba.anu.edu.au".
Your reports, testing, patches, criticism and encouragement will help us
get this right.
|