To use domain logons and profiles you need to do the following:
-1) Setup nmbd and smbd and configure the smb.conf so that Samba is
-acting as the master browser. See INSTALL.txt and BROWSING.txt for
-details.
-2) create a share called [netlogon] in your smb.conf. This share should
-be readable by all users, and probably should not be writeable. This
-share will hold your network logon scripts, and the CONFIG.POL file
-(Note: for details on the CONFIG.POL file, refer to the Microsoft
-Windows NT Administration documentation. The format of these files
-is not known, so you will need to use Microsoft tools.)
+1) Setup nmbd and smbd by configuring smb.conf so that Samba is
+ acting as the master browser. See INSTALL.txt and BROWSING.txt
+ for details.
+
+2) Setup a WINS server (see NetBIOS.txt) and configure all your clients
+ to use that WINS service. [lkcl 12jul97 - problems occur where
+ clients do not pick up the profiles properly unless they are using a
+ WINS server. this is still under investigation].
+
+3) create a share called [netlogon] in your smb.conf. This share should
+ be readable by all users, and probably should not be writeable. This
+ share will hold your network logon scripts, and the CONFIG.POL file
+ (Note: for details on the CONFIG.POL file, refer to the Microsoft
+ Windows NT Administration documentation. The format of these files
+ is not known, so you will need to use Microsoft tools.)
For example I have used:
to modify or add files that another user's computer would then download
when they log in.
-3) in the [global] section of smb.conf set the following:
+4) in the [global] section of smb.conf set the following:
domain logons = yes
logon script = %U.bat
give each user a separate batch file as the %U will be changed to
their username automatically. The other standard % macros may also be
used. You can make the batch files come from a subdirectory by using
-soemthing like:
+something like:
logon script = scripts\%U.bat
-4) create the batch files to be run when the user logs in. If the batch
-file doesn't exist then no batch file will be run.
+5) create the batch files to be run when the user logs in. If the batch
+ file doesn't exist then no batch file will be run.
In the batch files you need to be careful to use DOS style cr/lf line
endings. If you don't then DOS may get confused. I suggest you use a
DOS editor to remotely edit the files if you don't know how to produce
DOS style files under unix.
-5) Use smbclient with the -U option for some users to make sure that
-the \\server\NETLOGON share is available, the batch files are visible
-and they are readable by the users.
+6) Use smbclient with the -U option for some users to make sure that
+ the \\server\NETLOGON share is available, the batch files are
+ visible and they are readable by the users.
-6) you will probabaly find that your clients automatically mount the
-\\SERVER\NETLOGON share as drive z: while logging in. You can put some
-useful programs there to execute from the batch files.
+7) you will probabaly find that your clients automatically mount the
+ \\SERVER\NETLOGON share as drive z: while logging in. You can put
+ some useful programs there to execute from the batch files.
NOTE: You must be using "security = user" or "security = server" for
domain logons to work correctly. Share level security won't work
as are folders "start menu", "desktop", "programs" and "nethood".
These directories and their contents will be merged with the local
versions stored in c:\windows\profiles\username on subsequent logins,
-taking the most recent from each.
+taking the most recent from each. You will need to use the [global]
+options "preserve case = yes", "short case preserve = yes" and
+"case sensitive = no" in order to maintain capital letters in shortcuts
+in any of the profile folders.
The user.dat file contains all the user's preferences. If you wish to
enforce a set of preferences, rename their user.dat file to user.man,
3) On the Windows 95 machine, go to Control Panel | Network |
Client for Microsoft Networks | Preferences. Select 'Log on to
- NT Domain'. Press OK, and this time allow the computer to reboot.
+ NT Domain'. Then, ensure that the Primary Logon is 'Client for
+ Microsoft Networks'. Press OK, and this time allow the computer
+ to reboot.
+
+[If you have the Primary Logon as 'Client for Novell Networks', then
+the profiles and logon script will be downloaded from your Novell
+Server. If you have the Primary Logon as 'Windows Logon', then the
+profiles will be loaded from the local machine - a bit against the
+concept of roaming profiles, if you ask me].
You will now find that the Microsoft Networks Login box contains
[user, password, domain] instead of just [user, password]. Type in
These folders will be cached locally on the client, and updated when
the user logs off (if you haven't made them read-only by then :-).
+If you make the folders read-only, then you will find that if the user
+creates further folders or short-cuts, that the client will merge the
+profile contents downloaded with the contents of the profile directory
+already on the local client, taking the newest folders and short-cuts
+from each set.
If you have problems creating user profiles, you can reset the user's
6) check the contents of the profile path (see "logon path" described
above), and delete the user.dat or user.man file for the user,
- making a backup if required.
+ making a backup if required.
If all else fails, increase samba's debug log levels to between 3 and 10,
and / or run a packet trace program such as tcpdump or netmon.exe, and
look for any error reports.
+If you have access to an NT server, then first set up roaming profiles
+and / or netlogons on the NT server. Make a packet trace, or examine
+the example packet traces provided with NT server, and see what the
+differences are with the equivalent samba trace.
+
In fact, the registry contains entries that describes everything that anything
may need to know to interact with the rest of the system.
-The registry files will can be located on any Windows NT machine by opening a
+The registry files can be located on any Windows NT machine by opening a
command prompt and typing:
dir %SystemRoot%\System32\config
the registry contains the user's security identifier, home directory, group
memberships, desktop profile, and so on.
-Every Windows NT system (workstation as well as server) will have it's own
+Every Windows NT system (workstation as well as server) will have its own
registry. Windows NT Servers that participate in Domain Security control
have a database that they share in common - thus they do NOT own an
-independant full registry database of their own, as do Workstations and
+independent full registry database of their own, as do Workstations and
plain Servers.
The User database is called the SAM (Security Access Manager) database and
is used for all user authentication as well as for authentication of inter-
process authentication (ie: to ensure that the service action a user has
-requested is permitted within the limits of that user's privilidges).
+requested is permitted within the limits of that user's privileges).
Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers
can participate in a Domain security system that is controlled by Windows NT
-Contributor: Unknown
-Date: Unknown
-Status: Current
+Contributor: lkcl - Copyright Luke Kenneth Casson Leighton 1997
+Date: March 1997
+Status: Current
Subject: Definition of NetBIOS Protocol and Name Resolution Modes
=============================================================================
NetBEUI is a raw NetBIOS frame protocol implementation that allows NetBIOS
datagrams to be sent out over the 'wire' embedded within LLC frames.
NetBEUI is not required when using NetBIOS over TCP/IP protocols and it
-is preferrable NOT to install NetBEUI if it can be avoided.
+is preferable NOT to install NetBEUI if it can be avoided.
+
+IPX/SPX is also not required when using NetBIOS over TCP/IP, and it is
+preferable NOT to install the IPX/SPX transport unless you are using Novell
+servers. At the very least, it is recommended that you do not install
+'NetBIOS over IPX/SPX'.
+
+[When installing Windows 95, you will find that NetBEUI and IPX/SPX are
+installed as the default protocols. This is because they are the simplest
+to manage: no Windows 95 user-configuration is required].
+
NetBIOS applications (such as samba) offer their services (for example,
SMB file and print sharing) on a NetBIOS name. They must claim this name
There are two kinds of NetBIOS Name resolution: Broadcast and Point-to-Point.
+
=================
BROADCAST NetBIOS
=================
Clients can claim names, and therefore offer services on successfully claimed
names, on their broadcast-isolated subnet. One way to get NetBIOS services
(such as browsing: see ftp.microsoft.com/drg/developr/CIFS/browdiff.txt; and
-SMB file/print sharing: see cifs4.txt) working on a LAN or WAN is to make
+SMB file/print sharing: see cifs6.txt) working on a LAN or WAN is to make
your routers forward all broadcast packets from TCP/IP ports 137, 138 and 139.
+You will find, however, if you do this on a large LAN or a WAN, that your
+network is completely swamped by NetBIOS and browsing packets, which is why
+WINS was developed to minimise the necessity of broadcast traffic.
WINS Clients therefore claim names from the WINS server. If the WINS
server allows them to register a name, the client's NetBIOS session service
can then offer services on this name. Other WINS clients will then
contact the WINS server to resolve a NetBIOS name.
+
+=======================
+Samba WINS Capabilities
+=======================
+
To configure samba as a WINS server, you must add "wins support = yes" to
the [global] section of your smb.conf file. This will enable WINS server
capabilities in nmbd.
git.samba.org / samba.git / commitdiff