                    FAQ for Samba NT Domain PDC support

                 Last Update : Tue Mar 16 09:50:00 CST 1999

  ------------------------------------------------------------------------

NOTICE : Unless otherwise stated all functionality described in this FAQ is
contained only in the HEAD samba branch which is different that the main
distributed branch (e.g. 2.0.0 at the moment).  The HEAD branch is used for
developmental purposes and should not be used in a production environment.
This does not mean that is does not work, but rather changes very quickly
and is to be considered a work in progress.  The distributed version is
considered to be "stable" code but may not contain all the functionality of
the HEAD branch.

Also, the FAQ deals with functioanality specific to interaction regarding
Windows NT Domains and Samba.  For general setup information, please refer
to the files located in the docs/ directory in the Samba distribution or to
the documentation links on the Samba home page.

  ------------------------------------------------------------------------

1. General Information

     1.1.  How do I know if I need Samba Primary Domain Controller
     (PDC) support.and how much of its functionality is currently
     implemented?

2. Setup

     2.1.  How do I download the latest Samba NT Domain Controller
     code?
     2.2.  How do I get my NT Workstation / Server to join the Samba
     controlled Domain?
     2.3.  When I try to join the domain I get the message "The
     machine account for this computer either does not exist or is not
     accessable."
     2.4.  I successfully joined the Samba controlled domain, but now
     I can't login!
     2.5.  What's the status of print spool (\PIPE\spoolss) support in
     the NTDOM code?
     2.6.  I keep getting the message "trust account xxx should be in 
     DOMAIN_GROUP_RID_USERS."  What do I need to do?
     2.7  I joined the domain successfully but after upgrading to a 
     newer version of the Samba code I get the message, "The system can 
     not log you on (C000019B), Please try again or consult your system
     administrator" when attempting to logon.

3. Troubleshooting / Bug Reporting

     3.1.  What are some diagnostics tools I can use to debug the
     domain logon process and where can I find them?
     3.2.  How do I install "Network Monitor" on an NT Workstation or
     a Windows 9x box?
     3.3.  I've seen the bits on the wire, but where can I find out
     what it all means?
     3.4.  I've tried all the debugging help from question 3.1 and
     still can't get things working.  What information should I
     include in my posting to the samba-ntdom mailing list?

4.  User Account Management

     Roaming Profiles & Policies
     4.1.1  Why is it bad to set "logon path = \\%N\%U\profile" in
     smb.conf?
     4.1.2  Why are all the users listed in the "domain admin users"
     using the same profile?

     User & Groups
     4.2.1.  When I run command line tool "x", that tries to use a
     domain account, I get the message 'No mapping between usernames
     and ID's was done.'
     4.2.2.  I really need to include domain accounts and groups in
     the ACL's, but it won't work.
     4.2.3.  The roaming profiles do not seem to be updating on the
     server.

     Domain Administration
     4.3.1.  How do I configure an account as a domain administrator?
     4.3.2.  I can't get system policies to work.

     Passwords
     4.4.1.  How do I get remote password (unix and SMB) changing
     working?

5.  Miscellaneous

     5.1  Since I don't need to buy an NT Server CD now, how do I get
     the "User Manager for Domains", the "Server Manager", and the
     "Windows NT Policy Editor"?

6. security = domain

     6.1  How do I get my samba server to become a member ( not PDC )
     of an NT domain?

  ------------------------------------------------------------------------

1.1. How do I know if I need Samba Primary Domain Controller (PDC) support
and how much of its functionality is currently implemented?

If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 client,
then you will need to obtain the latest main branch source code (see 2.1).
The following is a list of included currently features

   * The ability to act as a PDC for Windows NT 3.51 Servoce Pack 5 and 4.0
     Service Pack 4 clients.  This includes adding NT machines to the
     domain and authenticating users logging into the domain.
   * Domain account can be viewed using the "User Manager for Domains".
   * Viewing resources on the Samba PDC via the "Server Manager for
     Domains" from the NT client.
   * Windows 95 clients will allow "user level" security to be set but will
     not currently allow browsing of accounts.
   * Machine account password updates.
   * Changing of user passwords from an NT client.
   * Username <-> RID mapping
        o some tools work with this such as the NT Sec tools from pedastal
          software.
        o some tools, like explorer.exe, do not
   * Partial support for Windows NT group and username mapping
   * Support for a LDAP password database backend

Release of a stable, full featured Samba PDC is currently slated for
version 2.1.   The NT domain client code is available beginning with
version 2.0.   The following are not currently available in the NTDOM PDC
support but eventually will be.

   * Trust relationships
   * PDC <=> BDC integration
   * Network printing (see question 2.5 for a workaround)
   * Windows NT ACLs (on the Samba shares)

  ------------------------------------------------------------------------

2.1. How do I download the latest Samba NT Domain Controller code?

Before continuing, please be aware that the development branch of Samba
changes very rapidly. Recently there has been an avaerage of 20 code
check-ins a day.  You've been warned!

For general information on accessing the samba source code via CVS, see
http://cvs.samba.org/cvs.html

To download the latest Samba Domain Controller source code

   * Obtain a recent copy of the cvs client binary. The cvs source code is
     available from ftp://download.cyclic.com/pub/
   * Now run the following command

                     cvs -d :pserver:cvs@samba.org:/cvsroot login

     when you are prompted for a password, enter 'cvs' without the quotes.
   * Now run the command

                     cvs -d :pserver:cvs@samba.org:/cvsroot co samba
   * To update your source code run the following command

                     cvs update -d -P

If you want to update the entire archive of the main branch code make sure
that you are located in the top directory of the samba tree ( ie.  the
samba directory ).

  ------------------------------------------------------------------------

2.2. How do I get my NT Workstation / Server to login to the Samba
controlled Domain?

   * Obtain the latest main branch samba code ( see question 2.1)
   * Set up samba with encrypted passwords: see ENCRYPTION.txt (probably
     out of date: you no longer need the DES libraries, but other than
     that, ENCRYPTION.txt is current).

     At this point, it is advisable to test that your samba server is
     accessible correctly with encrypted passwords, before progressing with
     any of the NT workstation-specific bits: it's up to you.
   * To create the machine account on the Samba PDC, first create an
     account in /etc/passwd for the username workstation_name$.  Currently
     the uid is all that will be used and this is to ensure that the samba
     generated machine RID for the worstation account will be unique.
     Therefore you should not reuse unix uid's in /etc/passwd.  The shell
     or home directory fields in /etc/passwd are not used for now and can
     be set to /bin/False and /dev/null respectively.

     Here are some example entries:

           ws1$:*:801:800:NT Workstation 1:/dev/null:/bin/false
           ws2$:*:802:800:NT Workstation 2:/dev/null:/bin/false

     Now run the following command

           smbpasswd -a -m workstation_name

     This will create an entry in the private/smbpasswd file in the form of

           workstation_name$:uid:LM_XXX:NT_XXX:[W       ]:LTC-XXXX:

     The LM_XXX and NT_XXX fields are the ascii representations of the 16
     byte LanMan and NT MD4 hashes respectively of the password
     workstation_name.

     When a machine joins a domain it uses a default password (i.e. its
     netbios name in lower case letters).  Once it has successfully joined
     the domain, the client will change its password to some random value
     using the old password as the encryption key. Therefore, if you must
     rejoin the domain, you must reset the pasword for the workstation
     trust account on the sersver.

   * If using NT server to log in, run the User Manager for Domains, and
     grant "Everyone" (or "Authenticated Users assuming NT4SP3 or higher)
     the capability to Log in Locally , which you would have to do even if
     you were logging in to another NT PDC instead of a Samba PDC.

   * Set up the following parameters in smb.conf

              ; substitute your workgroup here
              workgroup = SAMBA
              ; tells workstations to use SAMBA as its Primary Domain Controller.
              domain logons = yes

   * Starting smbd will create a file name private/SAMBA.SID with
     permissions rw-r--r--. The file contains the domain SID for the samba
     PDC. The filename will differ depending on the value of the workgroup
     parameter.  If the contents of this file change, no domain members
     will be able to logon and will need to be readded to the domain again.
       Guard it carefully!
   * Make sure samba is running before the next step is carried out. if
     this is your first time, just for fun you might like to switch the
     debug log level to about 20. the NT pipes produces some very pretty
     output when decoding requests and generating responses, which would be
     particularly useful to see in tcpdump at some point.
   * In the NT Network Settings, change the domain to SAMBA. Do not attempt
     to create an account using the other part of the dialog---it will fail
     at present.  You should get a wonderful message saying "Welcome to the
     SAMBA Domain."

     If you don't, then please first increase your debug log levels and
     also get a tcpdump (or preferably NetMonitor) trace and examine it
     carefully.  You should see a NETLOGON, a SAMLOGON on UDP port 138. If
     you don't, then you probably don't have "domain logons = yes" or there
     is some other problem in resolving the NetBIOS name SAMBA<1c>.

     On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
     (one for a domain SID of S-1-3... and another for S-1-5) and then an
     LSA_CLOSE or two. You may see a pipe connection to a wkssvc pipe, and
     you may also see a "Net Server Get Info" being issued on the srvsvc
     pipe.

     Assuming you got the Welcome message, go through the obligatory reboot
     (the NT box, not the Samba server).

  ------------------------------------------------------------------------

2.3.  When I try to join the domain I get the message "The machine account
for this computer either does not exist or is not accessable."

First thing to do is to make sure that you have the entry correct for the
machine account in smbpasswd file on the Samba PDC.  If you added the
account manually rather than using the smbpasswd utility, make sure that
the account name is the machine netbios name with a '$' appended to it (
ie. computer_name$ ) and the password is the machine name in **lower** case
letters.  Also make sure that the account type is [W         ].  Some
people have reported that inconsistent subnet masks between the Samba
server and the NT client have caused this problem.  Make sure that these
are consistent for both client and server.

  ------------------------------------------------------------------------

2.4.  I successfully joined the Samba controlled domain, but now I can't
login!

   * When pressing Ctrl-Alt-Delete, the NT login box should have three
     entries.  If there is a delay of about twenty seconds between pressing
     Ctrl-Alt-Delete and the appearance of this login dialog, then there
     might be a problem: at this stage the workstation is issuing an
     LSA_ENUMTRUSTEDDOMAIN request

     The domain box should have two entries: the hostname and the SAMBA
     domain.  Any local accounts are under the hostname domain.  Global
     groups are defined using the "domain group map" parameter.  Select the
     SAMBA domain, and type in a valid username and password for which
     there is a valid entry in the samba server's smbpasswd LM/NT OWF
     database.

     You should see an LSA_REQ_CHAL, followed by LSA_AUTH2,
     LSA_NET_SRV_PWSET, and LSA_SAM_LOGON. The SAM Logon will be
     particularly large (the response can be approximately 600 bytes) as it
     contains user info.

     Also, there will probably be a "Net Server Get Info" and a "Net Share
     Enum" amongst this lot. If the SAM Logon is successful, the dialog
     should disappear, and a standard SMB connection established to
     download the profile specified in the SAM Logon (if it was).

     At this point, you _may_ encounter difficulties in creating a remote
     profile, and the login may terminate (generating an LSA_SAM_LOGOFF).
     If this occurs, then either find an existing profile on the samba
     server and copy it into the location specified by the "logon path"
     smb.conf parameter for the user logging in, or log in on the local
     machine, and use the System | Profiles control panel to make a copy of
     the _local_ profile onto the samba server. This process is described
     and documented in the NT Help Files.
   * Play around. Look at the Samba Server: see if it can be found in the
     browse lists. Check that it is accessible; run some applications.
     Generally stress things. Laugh a lot. Logout of the NT machine
     (generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
     two users simultaneously. Try logging the same user in twice.  Make
     Samba fall over, and then send bug reports to us, with NTDOM: at the
     start of the subject line, as samba-bugs@samba.org. Join the
     samba-ntdom@samba.org mailing list: help with or watch the latest
     developments.

  ------------------------------------------------------------------------

2.5.  What's the status of print spool (\PIPE\spoolss) support in the NTDOM
code?

The implementation of support for .\spoolss pipe is about 75% done but has
not been checked into the HEAD branch code (well, not true exactly...parts
of it have).  The current solution implemented in Samba 2.0 is to cause the
NT box to thunk back down to the LanMan printing calls.  If you add a
printer from a Samba 2.0 server, the port should appear in the connection
as a LanMan printer port.

  ------------------------------------------------------------------------

2.6.  I keep getting the message "trust account xxx should be in
DOMAIN_GROUP_RID_USERS."  What do I need to do?

Nothing.  This is a note that one of the developers put in to remind him 
of a issue that is yet to be resolved.  It is harmless and should be ignored.  
If you find it filling up your debug logs, you can set it to be logged at a 
higher level.   Edit passdb/sampass.c and locate the string.  Then change 
the debug level from 0 to 3 or higher.

  ------------------------------------------------------------------------

2.7  I joined the domain successfully but after upgrading to a newer 
version of the Samba code I get the message, "The system can not log 
you on (C000019B), Please try again or consult your system administrator" 
when attempting to logon.

This occurs when the domain SID stored in private/WORKGROUP.SID is changed.  
For example, you remove the file and smbd automaticaaly creates a new one.   
Or you are swapping back and forth between versions 2.0.x and the HEAD branch
code (not recommended).  The only way to correct the problem is to 

   * Restore the original domain SID 
   * Remove the domain client from the domain and rejoin. 

  ------------------------------------------------------------------------

3.1. What are some diagnostics tools I can use to debug the domain logon
process and where can I find them?

   * One of the best diagnostic tools for debugging problems is Samba
     itself.  You can use the -d option for both smbd and nmbd to specifiy
     what "debug" level at which to run.  See the man pages on smbd, nmbd
     and smb.conf for more information on debugging options.  The debug
     level can range from 1 (the default) to around 100 but a debug level
     of about 20 will normally help you find any errors that samba is
     encountering.
   * Another helpful method of debugging is to compile samba using the gcc
     -g flag.   This will include debug information in the binaries and
     allow you to attch gdb to the running smbd / nmbd process.  In order
     to attach gdb to an smbd process for an NT worksatation, first get the
     workstation to make the connection. pressing ctrl-alt-delete and going
     down to the domain box is sufficient (at least, on the first time you
     join the domain) to generate a "LsaEnumTrustedDomains". Thereafter,
     the workstation maintains an open connection, and therefore there will
     be an smbd process running (assuming that you haven't set a really
     short smbd idle timeout)  So, in between pressing ctrl alt delete, and
     actually typing in your password, you can gdb attach and continue.
   * An SMB enabled version of tcpdump is available from
     ftp://samba.org/pub/samba/tcpdump-smb/

     Capconvert is a small C program for translating output from
     tcpdump-smb to CAP format that can be read by netmon.  You will need
     to use the raw output from tcp dump ( ie. tcpdump -w output.dump ).
     Good news!  Now you can convert Solaris' snoop output as well.   The C
     source code for snoop2cap is available for download.

   * For tracing things on the Microsoft Windows NT, Network Monitor (aka.
     netmon) is available on the Microsoft Developer Network CD's, the
     Windows NT Server install CD and the SMS CD's.  The version of netmon
     that somes with SMS allows for dumping packets between any two
     computers (ie. placing the network interface in promiscuous mode).
     The version on the NT Server install CD will only allow monitoring of
     network traffic directed to the local NT box and broadcasts on the
     local subnet.

  ------------------------------------------------------------------------

3.2.  How do I install "Network Monitor" on an NT Workstation or a Windows
9x box?

Installing netmon on an NT workstation requires a couple of steps.  The
following are for installing Netmon V4.00.349, which comes with Microsoft
Windows NT Server 4.0, on Microsoft WIndows NT Workstation 4.0.  The
process should be similar for other version of Windows NT / Netmon.  You
will need

   * The Microsoft Windows NT Server 4.0 install CD.
   * The Microsoft Windows NT Workstation 4.0 install CD.

Initially you will need to install "Network Monitor Tools and Agent" on the
NT Server.  To do this

  1. Goto Start -> Settings -> Control Panel -> Network -> Services -> Add
  2. Select the "Network Monitor Tools and Agent" and click on "OK".
  3. Click "OK" on the Network Control Panel.
  4. Insert the Windows NT Server 4.0 install CD when prompted.

At this point the Netmon files should exist in
%SYSTEMROOT%\System32\netmon\*.*   Two subdirectories exist as well,
parsers\ which conatin the necessary DLL's for parsing the netmon packet
dump, and captures\.

In order to install the Netmon tools on an NT Workstation, you wil first
need to install the "Network  Monitor Agent" from the Workstation install
CD.

  1. Goto Start -> Settings -> Control Panel -> Network -> Services -> Add
  2. Select the "Network Monitor Agent" and click on "OK".
  3. Click "OK" on the Network Control Panel.
  4. Insert the Windows NT Worksatation 4.0 install CD when prompted.

Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set permissions
as you deem appropriate for your site.  You will need administrative rights
on the NT box to run netmon.

To install Netmon on a Windows 9x box

   * install the network monitor agent from the Windows 9x CD
     (\admin\nettools\netmon).   There is a readme file located with the
     netmon driver files on the CD if you need information on how to do
     this.
   * Copy the files from a working Netmon installation.
   * Run netmon on Windows 9x :-)

  ------------------------------------------------------------------------

3.3. I've seen the bits on the wire, but where can I find out what it all
means?

There are many sources of information available in the form of mailing
lists, RFC's and documentation.  The docs that come with the samba
distribution contain very good explanations of general SMB topics such as
browsing.

   * Mailing Lists :
        o samba-ntdom@samba.org <Listproc server>
          This list is devoted to implementing support for "NT domains for
          Unix". Archive located at http://samba.org/listproc/samba-ntdom
        o samba-technical@samba.org <Listproc server>
          Mailing list for normal samba development.  Archive
          located at http://samba.org/listproc/samba-technical
        o samba@samba.org <Listproc server>
          Mailing list for normal samba deployment.  Archive
          located at http://samba.org/listproc/samba
        o CIFS@DISCUSS.MICROSOFT.COM <Listproc server>
          Discussion of the CIFS ( Common Internet File System ) protocol
          Archive located at
          http://discuss.microsoft.com/archives/cifs.html
   * URL's
        o Home of Samba site http://samba.org
        o Misc links to CIFS information http://samba.org/cifs/
        o NT Domains for Unix http://mailhost.cb1.com/~lkcl/ntdom/
        o Microsoft's main CIFS page: 
          http://www.microsoft.com/workshop/networking/cifs/
        o FTP site for older SMB spces: 
          ftp://ftp.microsoft.com/developr/drg/CIFS/
   * RFC's
        o RFC1001 (March '87) Protocol standard for a NetBIOS service on a
          TCP/UDP transport: Concepts and methods.
          http://ds.internic.net/rfc/rfc1001.txt
        o RFC1002 (March '87) Protocol standard for a NetBIOS service on a
          TCP/UDP transport: Detailed specifications.
          http://ds.internic.net/rfc/rfc1002.txt
        o CIFS specifications
             + CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt
             + CIFS Remote Administration Protocol
               draft-leach-cifs-rap-spec-00.txt
             + CIFS Logon and Pass Through Authentication
               draft-leach-cifs-logon-spec-00.txt
             + A Common Internet File System (CIFS/1.0) Protocol
               draft-leach-cifs-v1-spec-01.txt
             + CIFS Printing Specification
               draft-leach-cifs-print-spec-00.txt

  ------------------------------------------------------------------------

3.4. I've tried all the debugging help from question 3.1 and still can't
get things working.  What information should I include in my posting to the
samba-ntdom mailing list?

If you post a problem regarding setting up samba PDC support to the
samba-ntdom mailing list, please include the following information

   * The date when you last checked out the main code via cvs.
   * The OS and version of the server on which you are running samba.
   * The relavent sections of your smb.conf file.  At least the options in
     [global] that affect PDC support.
   * Partial log files written at a debug level of  at least 20.  Please
     don't send the entire log but enough to give the context of the error
     messages.
   * If you have a complete netmon trace ( from the opening of the pipe to
     the error ) you can send the *.CAP file as well.

  ------------------------------------------------------------------------

4.1.1.  Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf?

Sometimes Windows clients will maintain a connection to the [homes] ( or
[%U] ) share even after the user has logged out.  Consider the following
scenario.

   * user1 logs into the Windows NT machine.  Therefore the [homes] share
     is set to \\server\user1.
   * user1 works for a while and then logs out.
   * user2 logs into the same Windows NT  machine.

However, since the NT box has maintained a connection to [homes] which was
perviously set to \\server\user1, when the operating system attempts to get
the profile and if it can read users1's profile, will get it otherwise it
will return an error.   You get the picture.

A better solution is to use a separate [profiles] share and set the "logon
path = \\%N\profiles\%U"

  ------------------------------------------------------------------------

4.1.2.  Why are all the users listed in the "domain admin users" using the
same profile?

The 'domain admin users' is obselete.  Please see Q4.3.1

There are several well known RIDs in Windows NT.  One of these the the
admin RID which is 500.  Currently samba supports domain admin users by
assigning them the Administrator RID of 500 rather than the way that normal
user RID are generated ( by 1000 to the unix uid ).  The will change in the
future as more is learned about the methods to implement this and as NT
groups become supported.

The hard coded RID for domain admins can cause users to share profiles if
you are not deleting the cached copy of the of the user profile after the
user logs out.

  ------------------------------------------------------------------------

4.2.1.  When I run command line tool "x", that tries to use a domain
account, I get the message 'No mapping between usernames and ID's was done.

The username <-> RID mapping and some related remote procedure calls are
entirely not completed..  If you get this failure, please report it and how
to reproduce it to the samba-ntdom@samba.org mailing list.

  ------------------------------------------------------------------------

4.2.2.  I really need to include domain accounts and groups in the ACL's,
but it won't work.

Some tools will work.  For example, the NT Sec tools sold by Pedastal
Software work for me.   I can successfully include domain users and groups
in local file ACLs.  These tools also allow you to include users and groups
in share permissions as well.   However, the Windows Explorer
(explorer.exe) does not work.   The cacls.exe tool that ships with Windows
NT also works?

  ------------------------------------------------------------------------

4.2.3.  The roaming profiles do not seem to be updating on the server.

There can be several reasons for this.

   * Make sure that the time on the client and the PDC are synchronized.
     You can accomplish this by executing a net time \\server /set /yes
     replacing server with the name of your PDC (or another synchronized
     SMB server).
   * Make sure that the logon path is writeable by the user and make sure
     that the connection to the logon path location is by the current user.
       Sometimes Windows client do not drop the connection immediately upon
     logoff.
   * Some people have reported that the logon path location should also be
     browseable.   I have yet to emperically verify this, but you can try.

  ------------------------------------------------------------------------

4.3.1.  How do I configure an account as a domain administrator?

This has changed in the latest version of the HEAD branch.  The "domain
admin users" and "domain admin group" parameters have gone away.  See the
smb.conf man page for information on

   * domain group map
   * domain user map
   * local group map

Here are some sample notes...

To put users in the "Domain Admins" group

   * Choose a suitable UNIX group, for example the group "adm".  Add the
     following parameter to smb.conf

       domain group map = /usr/local/samba/lib/domaingroup.map

   * Now create /usr/local/samba/lib/domaingroup.map and add.  The quotes
     are necessary for group names that include spaces.

       adm="Domain Admins"

   * In /etc/group (or the NIS map), put any user you want to be a "Domain
     Admin" in the group "adm".  These users will have Domain Admin rights
     on the workstations and will, for example, have Domain Admins policy
     rules (ie permissions) applied to them.  They can take the workstation
     out of a domain, remove or edit profiles on the machine etc.

To add users to the local Administrator accounts on machines

   * Add the following parameter to smb.conf

       local group map = /usr/local/samba/lib/localgroup.map

   * Choose a suitable unix group, for example "wheel" and add the
     following entry to the loca group map file

       wheel=BUILTIN\Administrators

   * Then in /etc/group (or the NIS map), any users that you want to be
     local administrators must
     be in the group "wheel".

Now to map NT user accounts to unix accounts

   * Add the following parameter to smb.conf

       domain user map = /usr/local/samba/lib/domainuser.map

   * In the file /usr/local/samba/lib/domainuser.map put :

       root=Administrator

   * Then run

       smbpasswd -a root

     and enter a password.

  ------------------------------------------------------------------------

4.3.2. I can't get system policies to work.

There are two possible reasons for system policies no functioning
correctly.

   * Make sure that you have the following parameters set in smb.conf

                  [netlogon]
                       ....
                       locking = no
                       public = no
                       browseable = yes
                       ....

   * Play with the case settings and up the debug level of smbd.  See what
     file the NT client is looking for.  People have reported success using
     NTconfig.pol, NTconfig.POL and ntconfig.pol.  These are the case
     settings that I use with the filename ntconfig.pol

                  case sensitive = no
                  case preserve = yes
                  default case = yes

  ------------------------------------------------------------------------

4.4.1  How do I get remote password (unix and SMB) changing working ?

Ensure you have the following in smb.conf :

    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *password* %n\n *password* %n\n *successfull*

The actual value of the second and third line will vary with your system.
The passwd program will be run with root privilege so make sure the text
that you supply is correct for a root operation. The man pages suggest you
can use double quotes to 'collect strings with spaces in them'. Reports
from users indicated that this did not work well; examining the strings
being submitted indicated that the program was having trouble parsing the
string so it is better to avoid the spaces and rely on the *.

You do not need to add -DALLOW_CHANGE_PASSWORD to the makefile.  Its in an
~/include/includes.h . As mentioned above, the change to the unix password
happens as root, not as the user, as is indicated in ~/smbd/chgpasswd.c  If
you are using NIS, the Samba server must be running on the NIS master
machine.

  ------------------------------------------------------------------------

5.1  Since I don't need to buy an NT Server CD now, how do I get the "User
Manager for Domains", the "Server Manager", and the "Windows NT Policy
Editor"?

Microsoft distributes a version of these tools called nexus for
installation on Windows 95 systems.  The tools set includes

   * Server Manager
   * User Manager for Domains
   * Event Viewer

Click here to download the archived file.

The Windows NT 4.0 version of the

   * User Manager for Domains
   * Server Manager

are available from Microsoft via ftp.  Click  here to download.

Windows NT Policy Editor

To create or edit ntconfig.pol you must use the NT Server Policy Editor
(poledit.exe) which is included with NT Server but **not** NT Workstation.
Although the Windows 95 Policy Editor can be installed on an NT
Workstation/Server, it will not work with NT policies because the registry
key that are set by the policy templates.

If you need a copy of the Windows NT policy editor, one is included 
with the Service Pack 3 (and 4) for Windows NT 4.0. Extract the files 
using servicepackname /x. The policy editor (poledt.exe) and the 
associated template files (*.adm) should be extracted as well. It is also 
possible to downloaded the policy template files for Office97 and get a 
copy of the policy editor. Another possible location is with the Zero 
Administration Kit available for download from Microsoft.

  ------------------------------------------------------------------------

6.1  How do I get my samba server to become a member ( not PDC ) of an NT
domain?

Samba now supports a new value for the "security" global parameter in
smb.conf.  By setting "security = domain" in the configuration file, a
samba server is able to act as a full member of an NT Domain (even if it
has a Samba server as a PDC ).  The Samba box can join the NT domain, but
users must still be defined in the local /etc/passwd file.  Jeremy Allison
wrote a good article for Linuxworld explaining the domain security model
support in Samba 2.0 (see lw-10-samba.html ). You should also refer to
DOMAIN_MEMBER.txt included in the Samba distribution.   The "security =
domain" support is included in Samba 2.0.

Here are the steps for settings things up. When the instructions refer to
the client machine, they are speaking of the samba machine which you want
to join the NT Domain.

   * First, create a machine account on the PDC for the client samba
     machine.  If you are doing this on a Samba PDC, then follow the
     instructions in question 2.2 regarding creating the machine accounts.
     If you are using an actual NT Server as the PDC, then follow normal
     procedures for creating the machine account using the Server Manager.
   * Now set "workgroup = <NT Domain>" and "password server = <NetBIOS name
     of PDC>" in the global section of the smb.conf on the client machine
     file replacing <NT Domain> and <NetBIOS name of PDC> with values
     appropriate for your site.
   * Start samba on the client machine.  Note that the directory where the
     smbpasswd file would be located should exist as this is where smbd
     will generate the MACHINE.SID file.
   * Finally run "smbpasswd -j <NT Domain>" on the client samba machine.
     If all goes well, you will see a message saying that the samba machine
     has successfully joined the <NT Domain>.  This will create a file in
     the same directory  as MACHINE.SID, named <NT Domain>.<NetBIOS
     Name>.mac which will contain the trust account password for the samba
     domain member.  The permissions are set to "rw-------".  Do Not change
     these for security reasons.

Once the Samba server has joined the NT domain, the Samba box can validate
users against the NT PDC.  However, Samba will need some way of mapping the
determined user's NT RID ( relative ID ) to a valid unix uid.  There are
two ways to do this.   One is to use the "username map =" parameter.

The other is to create accounts for all your NT users in /etc/passwd on the
unix box.  There are some scripts available to help in the migration. These
perl scripts are available for download from the /pub/samba/contributed
diretory in one of the Samba ftp mirrors.  The in a tarball is named
domain_member_scripts.tar.gz.

Accounts created on the unix box are only used to get a valid uid.  They
are not used for validation.  You can therefore set the password field to
whatever lock string for your system is. Under most ( if not all ) versions
of unix this is the '*' character.  Here is an example /etc/passwd entry.

                jdoe:*:1124:100:NT Dummy account:/dev/null:/bin/False

Once you get to here, you should now be able to mount shares from the samba
server using valid domain accounts.

  ------------------------------------------------------------------------

This FAQ is maintained by Jerry Carter E-mail comments / suggestions
jerry@samba.org

All trademarks are the sole property of their respective owners.
