+!==
+!== DOMAIN.txt for Samba release 2.0.4 18 May 1999
+!==
Contributor: Samba Team
-Updated: June 27, 1997
+Updated: December 4, 1998 (John H Terpstra)
-Subject: Network Logons and Roving Profiles
+Subject: Network Logons and Roaming (Roving) Profiles
===========================================================================
A domain and a workgroup are exactly the same thing in terms of network
-traffic, except for the client logon sequence. Some kind of distributed
-authentication database is associated with a domain (there are quite a few
-choices) and this adds so much flexibility that many people think of a
-domain as a completely different entity to a workgroup. From Samba's
-point of view a client connecting to a service presents an authentication
-token, and it if it is valid they have access. Samba does not care what
-mechanism was used to generate that token in the first place.
+browsing. The difference is that a distributable authentication
+database is associated with a domain, for secure login access to a
+network. Also, different access rights can be granted to users if they
+successfully authenticate against a domain logon server (samba does not
+support this, but NT server and other systems based on NT server do).
+
+As of samba-2.0.0 this is now a work in progress that is expected to
+mature rapidly. Since this document pre-dates samba-2.0.0 it should be
+read from the perspective of it's origins but the reader should understand
+that the following details may NOT be up to date with current development.
The SMB client logging on to a domain has an expectation that every other
server in the domain should accept the same authentication information.
Issues related to the single-logon network model are discussed in this
document. Samba supports domain logons, network logon scripts, and user
-profiles. The support is still experimental, but it seems to work.
+profiles for MS Windows for workgroups and MS Windows 9X clients.
+
+Work is underway to support domain logon for MS Windows NT clients - this
+is mostly working but will undergo much change as the the behaviour of the
+new code matures and becomes easier to manage.
-The support is also not complete. Samba does not yet support the sharing
+Support is also not complete. Samba does not yet support the sharing
of the Windows NT-style SAM database with other systems. However this is
only one way of having a shared user database: exactly the same effect can
-be achieved by having all servers in a domain share a distributed NIS,
-Kerberos or other authentication database. These other options may or may
-not involve changes to the client software, that depends on the combination
-of client OS, server OS and authentication protocol.
+be achieved by having all servers in a domain share a distributed NIS or
+Kerberos authentication database.
When an SMB client in a domain wishes to logon it broadcast requests for a
logon server. The first one to reply gets the job, and validates its
different from the Windows NT SAM. Support for the Remote Administration
Protocol is planned for a future release of Samba.
-The domain support works for WfWg, and Win95 clients. Support for Windows
-NT and OS/2 clients is still being worked on and is still experimental.
-Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51,
-although NT Workstation requires manual configuration of user accounts with
-NT's "User Manager for Domains", and no automatic profile location support
-is available using samba, although it has been confirmed as possible to use
-an NT server to specify that the location of profiles is on a samba server.
+The domain support works for WfWg, and Win95 clients and NT 4.0 and 3.51.
+Domain support is currently at an early experimental stage for NT 4.0 and
+NT 3.51. Support for Windows OS/2 clients is still being worked on and is
+still experimental.
+
+Support for profiles is confirmed as working for Win95, NT 4.0 and NT 3.51.
+It is possible to specify: the profile location; script file to be loaded
+on login; the user's home directory; and for NT a kick-off time could also
+now easily be supported.
-The help of an NT server can be enlisted, both for profile storage and
-for user authentication. For details on user authentication, see
+With NT Workstations, all this does not require the use or intervention of
+an NT 4.0 or NT 3.51 server: Samba can now replace the logon services
+provided by an NT server, to a limited and experimental degree (for example,
+running "User Manager for Domains" will not provide you with access to
+a domain created by a Samba Server).
+
+With Win95, the help of an NT server can be enlisted, both for profile storage
+and for user authentication. For details on user authentication, see
security_level.txt. For details on profile storage, see below.
Using these features you can make your clients verify their logon via
-the Samba server, make clients run a batch file when they logon to
+the Samba server; make clients run a batch file when they logon to
the network and download their preferences, desktop and start menu.
Configuration Instructions: Network Logons
-==========================================
+==============================================
To use domain logons and profiles you need to do the following:
for details.
2) Setup a WINS server (see NetBIOS.txt) and configure all your clients
- to use that WINS service. [lkcl 12jul97 - problems occur where
- clients do not pick up the profiles properly unless they are using a
- WINS server. this is still under investigation].
+ to use that WINS service.
3) Create a share called [netlogon] in your smb.conf. This share should
be readable by all users, and probably should not be writeable. This
logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
-The default for this option is \\%L\%U, namely \\sambaserver\username,
-The \\L%\%U services is created automatically by the [homes] service.
+The default for this option is \\%N\%U\profile, namely
+\\sambaserver\username\profile. The \\N%\%U service is created
+automatically by the [homes] service.
If you are using a samba server for the profiles, you _must_ make the
share specified in the logon path browseable. Windows 95 appears to
you. If the creation of any component fails, or if it cannot see any
component of the path, the profile creation / reading fails.
+[lkcl 26aug96 - we have discovered a problem where Windows clients can
+maintain a connection to the [homes] share in between logins. The
+[homes] share must NOT therefore be used in a profile path.]
+
Windows 95
----------
--------------------------
When a user first logs in to a Windows NT Workstation, the profile
-NTuser.MAN is created. The "User Manager for Domains" can be used
-to specify the location of the profile. Samba cannot be a domain
-logon server for NT, therefore you will need to manually configure
-each and every account. [lkcl 10aug97 - i tried setting the path
-in each account to \\samba-server\homes\profile, and discovered that
-this fails for some reason. you have to have \\samba-server\user\profile,
-where user is the username created from the [homes] share].
+NTuser.DAT is created. The profile location can be now specified
+through the "logon path" parameter, in exactly the same way as it
+can for Win95. [lkcl 10aug97 - i tried setting the path to
+\\samba-server\homes\profile, and discovered that this fails because
+a background process maintains the connection to the [homes] share
+which does _not_ close down in between user logins. you have to
+have \\samba-server\%L\profile, where user is the username created
+from the [homes] share].
+
+There is a parameter that is now available for use with NT Profiles:
+"logon drive". This should be set to "h:" or any other drive, and
+should be used in conjunction with the new "logon home" parameter.
The entry for the NT 4.0 profile is a _directory_ not a file. The NT
help on profiles mentions that a directory is also created with a .PDS
[lkcl 20aug97 - after samba digest correspondance, one user found, and
another confirmed, that profiles cannot be loaded from a samba server
-unless "security = user" and "encrypted passwords = yes" (see the file
+unless "security = user" and "encrypt passwords = yes" (see the file
ENCRYPTION.txt) or "security = server" and "password server = ip.address.
of.yourNTserver" are used. either of these options will allow the NT
workstation to access the samba server using LAN manager encrypted
Windows NT Server
-----------------
-Following the instructions for NT Workstation, there is nothing to stop
-you specifying any path that you like for the location of users' profiles.
-Therefore, you could specify that the profile be stored on a samba server,
-or any other SMB server, as long as that SMB server supports encrypted
-passwords.
+There is nothing to stop you specifying any path that you like for the
+location of users' profiles. Therefore, you could specify that the
+profile be stored on a samba server, or any other SMB server, as long as
+that SMB server supports encrypted passwords.
Sharing Profiles between W95 and NT Workstation 4.0
---------------------------------------------------
-The default logon path is \\%L\U%. NT Workstation will attempt to create
+The default logon path is \\%N\U%. NT Workstation will attempt to create
a directory "\\samba-server\username.PDS" if you specify the logon path
as "\\samba-server\username" with the NT User Manager. Therefore, you
will need to specify (for example) "\\samba-server\username\profile".
need to specify "logon path = \\samba-server\username\profile" [lkcl 10aug97
this has its drawbacks: i created a shortcut to telnet.exe, which attempts
to run from the c:\winnt\system32 directory. this directory is obviously
-unlikely to exist on a W95 host].
+unlikely to exist on a Win95-only host].
If you have this set up correctly, you will find separate user.DAT and
NTuser.DAT files in the same profile directory.