2 !== NTDOMAIN.txt for Samba release 1.9.18alpha4 25 Oct 1997
4 Contributor: Luke Kenneth Casson Leighton (samba-bugs@samba.anu.edu.au)
5 Copyright (C) 1997 Luke Kenneth Casson Leighton
6 Created: October 20, 1997
7 Updated: October 20, 1997
9 Subject: NT Domain Logons
10 ===========================================================================
12 As of 1.9.18alpha1, Samba supports logins for NT 4.0 Workstations, without
13 the need, use or intervention of NT 4.0 Server. This document describes
14 how to set this up. Over the continued development of the 1.9.18alpha
15 series, this process (and therefore this document) should become simpler.
17 The support is still experimental, so should be used at your own risk.
19 NT is not as robust as you might have been led to believe: during the
20 development of the Domain Logon Support, one person reported having to
21 reinstall NT from scratch: their workstation had become totally unuseable.
23 This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
26 Domain Logons using 1.9.18alpha1
27 ================================
29 1) compile samba with -DNTDOMAIN
31 2) carry out the following unix commands:
36 chmod 666 /tmp/netlogon
40 3) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
41 of date: you no longer need the DES libraries, but other than that,
42 ENCRYPTION.txt is current).
44 4) for each workstation, add a line to smbpasswd with a username of MACHINE$
45 and a password of "machine". this process will be automated in further
48 5) if using NT server to log in, run the User Manager for Domains, and
49 add the capability to "Log in Locally" to the policies.
51 6) set up the following parameters in smb.conf
53 ; substitute your workgroup here
56 ; a description of domain sids can be found elsewhere.
57 domain sid = S-1-5-21-123-456-789-123
59 ; tells workstations to use SAMBA as its Primary Domain Controller.
62 7) make sure samba is running before the next step is carried out. if
63 this is your first time, just for fun you might like to switch the
64 debug log level to about 10. the NT pipes produces some very pretty
65 output when decoding requests and generating responses, which would
66 be particularly useful to see in tcpdump at some point.
68 8) In the NT Network Settings, change the domain to SAMBA. Do
69 not attempt to create an account using the other part of the dialog:
70 it will fail at present.
72 You should get a wonderful message saying "Welcome to the SAMBA Domain."
74 If you don't, then please first increase your debug log levels and also
75 get a tcpdump (or preferably NetMonitor) trace and examine it carefully.
76 You should see a NETLOGON, a SAMLOGON on UDP port 138. If you don't,
77 then you probably don't have "domain logons = yes" or there is some other
78 problem in resolving the NetBIOS name SAMBA<1c>.
80 On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one
81 for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE
82 or two. If when you get a connection to the SMB pipe NETLOGON, if /netlogon
83 access is refused, then you probably haven't granted the correct access
84 permissions on the /tmp/netlogon file. Likewise for the srvsvc file.
86 You may see a pipe connection to a wksta service being refused: this
87 is acceptable, we have found. You may also see a "Net Server Get Info"
88 being issued on the srvsvc pipe.
90 Assuming you got the Welcome message, go through the obligatory reboot...
92 9) When pressing Ctrl-Alt-Delete, the NT login box should have three entries.
93 If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete
94 and the appearance of this login dialog, then there might be a problem:
95 at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request
97 The domain box should have two entries: the hostname and the SAMBA domain.
98 Any local accounts are under the hostname domain, from which you will be
99 able to shut down the machine etc. At present, we do not specify that
100 the NT user logging in is a member of any groups, so will have no
101 priveleges, including the ability to shut down the machine.
103 Select the SAMBA domain, and type in a valid username and password for
104 which there is a valid entry in the samba server's smbpasswd LM/NT OWF
107 You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
108 and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response
109 can be approximately 600 bytes) as it contains user info.
111 Also, there will probably be a "Net Server Get Info" and a "Net Share Enum"
112 amongst this lot. If the SAM Logon is successful, the dialog should
113 disappear, and a standard SMB connection established to download the
114 profile specified in the SAM Logon (if it was).
116 At this point, you _may_ encounter difficulties in creating a remote
117 profile, and the login may terminate (generating an LSA_SAM_LOGOFF). If
118 this occurs, then either find an existing profile on the samba server and
119 copy it into the location specified by the "logon path" smb.conf parameter
120 for the user logging in, or log in on the local machine, and use the
121 System | Profiles control panel to make a copy of the _local_ profile onto
124 10) Play around. Look at the Samba Server: see if it can be found in the
125 browse lists. Check that it is accessible; run some applications.
126 Generally stress things. Laugh a lot. Logout of the NT machine
127 (generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
128 two users simultaneously. Try logging the same user in twice.
129 Make Samba fall over, and then send bug reports to us, with NTDOM: at
130 the start of the subject line, as "samba-bugs@samba.anu.edu.au".
132 Your reports, testing, patches and criticism will help us get this right.
git.samba.org / samba.git / blob