-Contributor: Luke Kenneth Casson Leighton
+!==
+!== NTDOMAIN.txt for Samba release 2.1.0prealpha 981204
+!==
+Contributor: Luke Kenneth Casson Leighton (samba-bugs@samba.org)
+ Copyright (C) 1997 Luke Kenneth Casson Leighton
Created: October 20, 1997
-Updated: October 20, 1997
+Updated: February 25, 1999 (Jerry Carter)
Subject: NT Domain Logons
===========================================================================
-As of 1.9.18alpha1, Samba supports logins for NT 4.0 Workstations, without
-the need, use or intervention of NT 4.0 Server. This document describes
+As of 1.9.18alpha1, Samba supports logins for NT 3.51 and 4.0 Workstations,
+without the need, use or intervention of NT Server. This document describes
how to set this up. Over the continued development of the 1.9.18alpha
series, this process (and therefore this document) should become simpler.
+One useful thing to do is to get this version of Samba up and running
+with Win95 profiles, as you would for the current stable version of
+Samba (currently at 1.9.17p4), and is fully documented. You will need
+to set up encrypted passwords. Even if you don't have any Win95 machines,
+using your Samba Server to store the profile for one of your NT Workstation
+users is a good test that you have 1.9.18alpha1 correctly configured *prior*
+to attempting NT Domain Logons.
+
The support is still experimental, so should be used at your own risk.
NT is not as robust as you might have been led to believe: during the
development of the Domain Logon Support, one person reported having to
reinstall NT from scratch: their workstation had become totally unuseable.
-This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
-
-
-Domain Logons using 1.9.18alpha1
-================================
-
-1) compile samba with -DNTDOMAIN
-
-2) carry out the following unix commands:
-
- touch /tmp/netlogon
- touch /tmp/srvsvc
- chmod 666 /tmp/netlogon
- chmod 666 /tmp/srvsvc
-
-3) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
- of date: you no longer need the DES libraries, but other than that,
- ENCRYPTION.txt is current).
-
-4) for each workstation, add a line to smbpasswd with a username of MACHINE$
- and a password of "machine". this process will be automated in further
- releases.
-
-5) if using NT server to log in, run the User Manager for Domains, and
- add the capability to "Log in Locally" to the policies.
-
-6) set up the following parameters in smb.conf
-
-; substitute your workgroup here
- workgroup = SAMBA
-
-; a description of domain sids can be found elsewhere.
- domain sid = S-1-5-21-123-456-789-123
+[further reports on ntsec@iss.net by independent administrators showing
+ similar symptoms lead us to believe that the SAM database file may be
+ corruptible. this _is_ recoverable (or, at least the machine is accessible),
+ by deleting the SAM file, under which circumstances all user account details
+ are lost, but at least the Administrator can log in with a blank password.
+ this is *not* possible except if the NT system is installed in a FAT
+ partition.]
-; tells workstations to use SAMBA as its Primary Domain Controller.
- domain logons = yes
-
-7) make sure samba is running before the next step is carried out. if
- this is your first time, just for fun you might like to switch the
- debug log level to about 10. the NT pipes produces some very pretty
- output when decoding requests and generating responses, which would
- be particularly useful to see in tcpdump at some point.
-
-8) In the NT Network Settings, change the domain to SAMBA. Do
- not attempt to create an account using the other part of the dialog:
- it will fail at present.
-
- You should get a wonderful message saying "Welcome to the SAMBA Domain."
-
- If you don't, then please first increase your debug log levels and also
- get a tcpdump (or preferably NetMonitor) trace and examine it carefully.
- You should see a NETLOGON, a SAMLOGON on UDP port 138. If you don't,
- then you probably don't have "domain logons = yes" or there is some other
- problem in resolving the NetBIOS name SAMBA<1c>.
-
- On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one
- for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE
- or two. If when you get a connection to the SMB pipe NETLOGON, if /netlogon
- access is refused, then you probably haven't granted the correct access
- permissions on the /tmp/netlogon file. Likewise for the srvsvc file.
-
- You may see a pipe connection to a wksta service being refused: this
- is acceptable, we have found. You may also see a "Net Server Get Info"
- being issued on the srvsvc pipe.
-
- Assuming you got the Welcome message, go through the obligatory reboot...
-
-9) When pressing Ctrl-Alt-Delete, the NT login box should have three entries.
- If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete
- and the appearance of this login dialog, then there might be a problem:
- at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request
-
- The domain box should have two entries: the hostname and the SAMBA domain.
- Any local accounts are under the hostname domain, from which you will be
- able to shut down the machine etc. At present, we do not specify that
- the NT user logging in is a member of any groups, so will have no
- priveleges, including the ability to shut down the machine.
-
- Select the SAMBA domain, and type in a valid username and password for
- which there is a valid entry in the samba server's smbpasswd LM/NT OWF
- database.
-
- You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
- and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response
- can be approximately 600 bytes) as it contains user info.
-
- Also, there will probably be a "Net Server Get Info" and a "Net Share Enum"
- amongst this lot. If the SAM Logon is successful, the dialog should
- disappear, and a standard SMB connection established to download the
- profile specified in the SAM Logon (if it was).
-
- At this point, you _may_ encounter difficulties in creating a remote
- profile, and the login may terminate (generating an LSA_SAM_LOGOFF). If
- this occurs, then either find an existing profile on the samba server and
- copy it into the location specified by the "logon path" smb.conf parameter
- for the user logging in, or log in on the local machine, and use the
- System | Profiles control panel to make a copy of the _local_ profile onto
- the samba server.
+This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
-10) Play around. Look at the Samba Server: see if it can be found in the
- browse lists. Check that it is accessible; run some applications.
- Generally stress things. Laugh a lot. Logout of the NT machine
- (generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
- two users simultaneously. Try logging the same user in twice.
- Make Samba fall over, and then send bug reports to us, with NTDOM: at
- the start of the subject line, as "samba-bugs@samba.anu.edu.au".
+==========================================================================
+Please note that Samba 2.0 does not **officially** support domain logons
+for Windows NT clients. Of course, domain logon support for Windows 9x
+clients is complete and official. These are two different issues.
-Your reports, testing, patches and criticism will help us get this right.
+Samba's capability to act as a Primary Domain Controller for Windows NT
+domains is not advertised as it is not completed yet. For more information
+regarding how to obtain the latest development (HEAD branch) source code
+and what features are available, please refer to the NT Domain FAQ on-line
+at the Samba web site under the documentation page.
git.samba.org / samba.git / blobdiff