!==
-!== NTDOMAIN.txt for Samba release 1.9.18alpha10 02 Nov 1997
+!== NTDOMAIN.txt for Samba release 2.0.0-beta1 13 Nov 1998
!==
-Contributor: Luke Kenneth Casson Leighton (samba-bugs@samba.anu.edu.au)
+Contributor: Luke Kenneth Casson Leighton (samba-bugs@samba.org)
Copyright (C) 1997 Luke Kenneth Casson Leighton
Created: October 20, 1997
Updated: October 29, 1997
This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
-Domain Logons using 1.9.18alpha1
-================================
+Domain Logons using latest cvs source
+=====================================
-1) compile samba with -DNTDOMAIN
+1) obtain and compile samba: see http://samba.org/cvs.html
2) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
of date: you no longer need the DES libraries, but other than that,
ENCRYPTION.txt is current).
-3) for each workstation, add a line to smbpasswd with a username of MACHINE$
- and a password of "machine". this process will be automated in further
- releases.
+ at this point, you ought to test that your samba server is accessible
+ correctly with encrypted passwords, before progressing with any of the
+ NT workstation-specific bits: it's up to you.
+
+3) [ for each workstation, add a line to smbpasswd with a username of MACHINE$
+ and a password of "machine". this process will be automated in further
+ releases (but for now use smbpasswd -m machine_name).
4) if using NT server to log in, run the User Manager for Domains, and
- add the capability to "Log in Locally" to the policies.
+ add the capability to "Log in Locally" to the policies, which you would
+ have to do even if you were logging in to another NT PDC instead of a
+ Samba PDC.
5) set up the following parameters in smb.conf
; substitute your workgroup here
workgroup = SAMBA
-; a description of domain sids can be found elsewhere.
-; you **MUST** begin the domain SID with S-1-5-21.
-; the rest is up to you.
- domain sid = S-1-5-21-123-456-789-123
+; DO NOT add the redundant "domain sid = " parameter as this has
+; been superseded by code that automatically generates a random
+; sid for you.
+; domain sid = redundant.
; tells workstations to use SAMBA as its Primary Domain Controller.
domain logons = yes
The domain box should have two entries: the hostname and the SAMBA domain.
Any local accounts are under the hostname domain, from which you will be
- able to shut down the machine etc. At present, we do not specify that
- the NT user logging in is a member of any groups, so will have no
- priveleges, including the ability to shut down the machine.
+ able to shut down the machine etc.
Select the SAMBA domain, and type in a valid username and password for
which there is a valid entry in the samba server's smbpasswd LM/NT OWF
- database.
+ database. At present, the password is ignored, to allow access to the
+ domain, but *not* ignored for accesses to Samba's SMB services: that's
+ completely separate from the SAM Logon process. Even if you log in a
+ user to a domain, your users will still need to connect to Samba SMB
+ shares with valid username / passwords, for that share.
You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response
copy it into the location specified by the "logon path" smb.conf parameter
for the user logging in, or log in on the local machine, and use the
System | Profiles control panel to make a copy of the _local_ profile onto
- the samba server.
+ the samba server. This process is described and documented in the NT
+ Help Files.
9) Play around. Look at the Samba Server: see if it can be found in the
browse lists. Check that it is accessible; run some applications.
(generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
two users simultaneously. Try logging the same user in twice.
Make Samba fall over, and then send bug reports to us, with NTDOM: at
- the start of the subject line, as "samba-bugs@samba.anu.edu.au".
+ the start of the subject line, as "samba-bugs@samba.org".
-Your reports, testing, patches and criticism will help us get this right.
+Your reports, testing, patches, criticism and encouragement will help us
+get this right.