Linux 版 (精华区)
发信人: tcpip (干打雷,不下雨), 信区: Linux
标 题: ct:FAQforSambaNTDomainPDCsupport
发信站: 哈工大紫丁香 (Sat Jun 26 02:42:45 1999), 转信
FAQ for Samba NT Domain PDC support
Last Update : Tue Mar 16 09:50:00 CST 1999
------------------------------------------------------------------------
NOTICE : Unless otherwise stated all functionality described in this FAQ is
contained only in the HEAD samba branch which is different that the main
distributed branch (e.g. 2.0.0 at the moment). The HEAD branch is used for
developmental purposes and should not be used in a production environment.
This does not mean that is does not work, but rather changes very quickly
and is to be considered a work in progress. The distributed version is
considered to be "stable" code but may not contain all the functionality of
the HEAD branch.
Also, the FAQ deals with functioanality specific to interaction regarding
Windows NT Domains and Samba. For general setup information, please refer
to the files located in the docs/ directory in the Samba distribution or to
the documentation links on the Samba home page.
------------------------------------------------------------------------
1. General Information
1.1. How do I know if I need Samba Primary Domain Controller
(PDC) support.and how much of its functionality is currently
implemented?
2. Setup
2.1. How do I download the latest Samba NT Domain Controller
code?
2.2. How do I get my NT Workstation / Server to join the Samba
controlled Domain?
2.3. When I try to join the domain I get the message "The
machine account for this computer either does not exist or is not
accessable."
2.4. I successfully joined the Samba controlled domain, but now
I can't login!
2.5. What's the status of print spool (\PIPE\spoolss) support in
the NTDOM code?
2.6. I keep getting the message "trust account xxx should be in
DOMAIN_GROUP_RID_USERS." What do I need to do?
2.7 I joined the domain successfully but after upgrading to a
newer version of the Samba code I get the message, "The system can
not log you on (C000019B), Please try again or consult your system
administrator" when attempting to logon.
3. Troubleshooting / Bug Reporting
3.1. What are some diagnostics tools I can use to debug the
domain logon process and where can I find them?
3.2. How do I install "Network Monitor" on an NT Workstation or
a Windows 9x box?
3.3. I've seen the bits on the wire, but where can I find out
what it all means?
3.4. I've tried all the debugging help from question 3.1 and
still can't get things working. What information should I
include in my posting to the samba-ntdom mailing list?
4. User Account Management
Roaming Profiles & Policies
4.1.1 Why is it bad to set "logon path = \\%N\%U\profile" in
smb.conf?
4.1.2 Why are all the users listed in the "domain admin users"
using the same profile?
User & Groups
4.2.1. When I run command line tool "x", that tries to use a
domain account, I get the message 'No mapping between usernames
and ID's was done.'
4.2.2. I really need to include domain accounts and groups in
the ACL's, but it won't work.
4.2.3. The roaming profiles do not seem to be updating on the
server.
Domain Administration
4.3.1. How do I configure an account as a domain administrator?
4.3.2. I can't get system policies to work.
Passwords
4.4.1. How do I get remote password (unix and SMB) changing
working?
5. Miscellaneous
5.1 Since I don't need to buy an NT Server CD now, how do I get
the "User Manager for Domains", the "Server Manager", and the
"Windows NT Policy Editor"?
6. security = domain
6.1 How do I get my samba server to become a member ( not PDC )
of an NT domain?
------------------------------------------------------------------------
1.1. How do I know if I need Samba Primary Domain Controller (PDC) support
and how much of its functionality is currently implemented?
If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 client,
then you will need to obtain the latest main branch source code (see 2.1).
The following is a list of included currently features
* The ability to act as a PDC for Windows NT 3.51 Servoce Pack 5 and 4.0
Service Pack 4 clients. This includes adding NT machines to the
domain and authenticating users logging into the domain.
* Domain account can be viewed using the "User Manager for Domains".
* Viewing resources on the Samba PDC via the "Server Manager for
Domains" from the NT client.
* Windows 95 clients will allow "user level" security to be set but will
not currently allow browsing of accounts.
* Machine account password updates.
* Changing of user passwords from an NT client.
* Username <-> RID mapping
o some tools work with this such as the NT Sec tools from pedastal
software.
o some tools, like explorer.exe, do not
* Partial support for Windows NT group and username mapping
* Support for a LDAP password database backend
Release of a stable, full featured Samba PDC is currently slated for
version 2.1. The NT domain client code is available beginning with
version 2.0. The following are not currently available in the NTDOM PDC
support but eventually will be.
* Trust relationships
* PDC <=> BDC integration
* Network printing (see question 2.5 for a workaround)
* Windows NT ACLs (on the Samba shares)
------------------------------------------------------------------------
2.1. How do I download the latest Samba NT Domain Controller code?
Before continuing, please be aware that the development branch of Samba
changes very rapidly. Recently there has been an avaerage of 20 code
check-ins a day. You've been warned!
For general information on accessing the samba source code via CVS, see
http://cvs.samba.org/cvs.html
To download the latest Samba Domain Controller source code
* Obtain a recent copy of the cvs client binary. The cvs source code is
available from ftp://download.cyclic.com/pub/
* Now run the following command
cvs -d :pserver:cvs@samba.org:/cvsroot login
when you are prompted for a password, enter 'cvs' without the quotes.
* Now run the command
cvs -d :pserver:cvs@samba.org:/cvsroot co samba
* To update your source code run the following command
cvs update -d -P
If you want to update the entire archive of the main branch code make sure
that you are located in the top directory of the samba tree ( ie. the
samba directory ).
------------------------------------------------------------------------
2.2. How do I get my NT Workstation / Server to login to the Samba
controlled Domain?
* Obtain the latest main branch samba code ( see question 2.1)
* Set up samba with encrypted passwords: see ENCRYPTION.txt (probably
out of date: you no longer need the DES libraries, but other than
that, ENCRYPTION.txt is current).
At this point, it is advisable to test that your samba server is
accessible correctly with encrypted passwords, before progressing with
any of the NT workstation-specific bits: it's up to you.
* To create the machine account on the Samba PDC, first create an
account in /etc/passwd for the username workstation_name$. Currently
the uid is all that will be used and this is to ensure that the samba
generated machine RID for the worstation account will be unique.
Therefore you should not reuse unix uid's in /etc/passwd. The shell
or home directory fields in /etc/passwd are not used for now and can
be set to /bin/False and /dev/null respectively.
Here are some example entries:
ws1$:*:801:800:NT Workstation 1:/dev/null:/bin/false
ws2$:*:802:800:NT Workstation 2:/dev/null:/bin/false
Now run the following command
smbpasswd -a -m workstation_name
This will create an entry in the private/smbpasswd file in the form of
workstation_name$:uid:LM_XXX:NT_XXX:[W ]:LTC-XXXX:
The LM_XXX and NT_XXX fields are the ascii representations of the 16
byte LanMan and NT MD4 hashes respectively of the password
workstation_name.
When a machine joins a domain it uses a default password (i.e. its
netbios name in lower case letters). Once it has successfully joined
the domain, the client will change its password to some random value
using the old password as the encryption key. Therefore, if you must
rejoin the domain, you must reset the pasword for the workstation
trust account on the sersver.
* If using NT server to log in, run the User Manager for Domains, and
grant "Everyone" (or "Authenticated Users assuming NT4SP3 or higher)
the capability to Log in Locally , which you would have to do even if
you were logging in to another NT PDC instead of a Samba PDC.
* Set up the following parameters in smb.conf
; substitute your workgroup here
workgroup = SAMBA
; tells workstations to use SAMBA as its Primary Domain Contr
oller. domain logons = yes
* Starting smbd will create a file name private/SAMBA.SID with
permissions rw-r--r--. The file contains the domain SID for the samba
PDC. The filename will differ depending on the value of the workgroup
parameter. If the contents of this file change, no domain members
will be able to logon and will need to be readded to the domain again.
Guard it carefully!
* Make sure samba is running before the next step is carried out. if
this is your first time, just for fun you might like to switch the
debug log level to about 20. the NT pipes produces some very pretty
output when decoding requests and generating responses, which would be
particularly useful to see in tcpdump at some point.
* In the NT Network Settings, change the domain to SAMBA. Do not attempt
to create an account using the other part of the dialog---it will fail
at present. You should get a wonderful message saying "Welcome to the
SAMBA Domain."
If you don't, then please first increase your debug log levels and
also get a tcpdump (or preferably NetMonitor) trace and examine it
carefully. You should see a NETLOGON, a SAMLOGON on UDP port 138. If
you don't, then you probably don't have "domain logons = yes" or there
is some other problem in resolving the NetBIOS name SAMBA<1c>.
On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs
(one for a domain SID of S-1-3... and another for S-1-5) and then an
LSA_CLOSE or two. You may see a pipe connection to a wkssvc pipe, and
you may also see a "Net Server Get Info" being issued on the srvsvc
pipe.
Assuming you got the Welcome message, go through the obligatory reboot
(the NT box, not the Samba server).
------------------------------------------------------------------------
2.3. When I try to join the domain I get the message "The machine account
for this computer either does not exist or is not accessable."
First thing to do is to make sure that you have the entry correct for the
machine account in smbpasswd file on the Samba PDC. If you added the
account manually rather than using the smbpasswd utility, make sure that
the account name is the machine netbios name with a '$' appended to it (
ie. computer_name$ ) and the password is the machine name in **lower** case
letters. Also make sure that the account type is [W ]. Some
people have reported that inconsistent subnet masks between the Samba
server and the NT client have caused this problem. Make sure that these
are consistent for both client and server.
------------------------------------------------------------------------
2.4. I successfully joined the Samba controlled domain, but now I can't
login!
* When pressing Ctrl-Alt-Delete, the NT login box should have three
entries. If there is a delay of about twenty seconds between pressing
Ctrl-Alt-Delete and the appearance of this login dialog, then there
might be a problem: at this stage the workstation is issuing an
LSA_ENUMTRUSTEDDOMAIN request
The domain box should have two entries: the hostname and the SAMBA
domain. Any local accounts are under the hostname domain. Global
groups are defined using the "domain group map" parameter. Select the
SAMBA domain, and type in a valid username and password for which
there is a valid entry in the samba server's smbpasswd LM/NT OWF
database.
You should see an LSA_REQ_CHAL, followed by LSA_AUTH2,
LSA_NET_SRV_PWSET, and LSA_SAM_LOGON. The SAM Logon will be
particularly large (the response can be approximately 600 bytes) as it
contains user info.
Also, there will probably be a "Net Server Get Info" and a "Net Share
Enum" amongst this lot. If the SAM Logon is successful, the dialog
should disappear, and a standard SMB connection established to
download the profile specified in the SAM Logon (if it was).
At this point, you _may_ encounter difficulties in creating a remote
profile, and the login may terminate (generating an LSA_SAM_LOGOFF).
If this occurs, then either find an existing profile on the samba
server and copy it into the location specified by the "logon path"
smb.conf parameter for the user logging in, or log in on the local
machine, and use the System | Profiles control panel to make a copy of
the _local_ profile onto the samba server. This process is described
and documented in the NT Help Files.
* Play around. Look at the Samba Server: see if it can be found in the
browse lists. Check that it is accessible; run some applications.
Generally stress things. Laugh a lot. Logout of the NT machine
(generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
two users simultaneously. Try logging the same user in twice. Make
Samba fall over, and then send bug reports to us, with NTDOM: at the
start of the subject line, as samba-bugs@samba.org. Join the
samba-ntdom@samba.org mailing list: help with or watch the latest
developments.
------------------------------------------------------------------------
2.5. What's the status of print spool (\PIPE\spoolss) support in the NTDOM
code?
The implementation of support for .\spoolss pipe is about 75% done but has
not been checked into the HEAD branch code (well, not true exactly...parts
of it have). The current solution implemented in Samba 2.0 is to cause the
NT box to thunk back down to the LanMan printing calls. If you add a
printer from a Samba 2.0 server, the port should appear in the connection
as a LanMan printer port.
------------------------------------------------------------------------
2.6. I keep getting the message "trust account xxx should be in
DOMAIN_GROUP_RID_USERS." What do I need to do?
Nothing. This is a note that one of the developers put in to remind him
of a issue that is yet to be resolved. It is harmless and should be ignore
d. If you find it filling up your debug logs, you can set it to be logged
at a higher level. Edit passdb/sampass.c and locate the string. Then cha
nge the debug level from 0 to 3 or higher.
------------------------------------------------------------------------
2.7 I joined the domain successfully but after upgrading to a newer
version of the Samba code I get the message, "The system can not log
you on (C000019B), Please try again or consult your system administrator"
when attempting to logon.
This occurs when the domain SID stored in private/WORKGROUP.SID is changed.
For example, you remove the file and smbd automaticaaly creates a new one
. Or you are swapping back and forth between versions 2.0.x and the HEAD
branchcode (not recommended). The only way to correct the problem is to
* Restore the original domain SID
* Remove the domain client from the domain and rejoin.
------------------------------------------------------------------------
3.1. What are some diagnostics tools I can use to debug the domain logon
process and where can I find them?
* One of the best diagnostic tools for debugging problems is Samba
itself. You can use the -d option for both smbd and nmbd to specifiy
what "debug" level at which to run. See the man pages on smbd, nmbd
and smb.conf for more information on debugging options. The debug
level can range from 1 (the default) to around 100 but a debug level
of about 20 will normally help you find any errors that samba is
encountering.
* Another helpful method of debugging is to compile samba using the gcc
-g flag. This will include debug information in the binaries and
allow you to attch gdb to the running smbd / nmbd process. In order
to attach gdb to an smbd process for an NT worksatation, first get the
workstation to make the connection. pressing ctrl-alt-delete and going
down to the domain box is sufficient (at least, on the first time you
join the domain) to generate a "LsaEnumTrustedDomains". Thereafter,
the workstation maintains an open connection, and therefore there will
be an smbd process running (assuming that you haven't set a really
short smbd idle timeout) So, in between pressing ctrl alt delete, and
actually typing in your password, you can gdb attach and continue.
* An SMB enabled version of tcpdump is available from
ftp://samba.org/pub/samba/tcpdump-smb/
Capconvert is a small C program for translating output from
tcpdump-smb to CAP format that can be read by netmon. You will need
to use the raw output from tcp dump ( ie. tcpdump -w output.dump ).
Good news! Now you can convert Solaris' snoop output as well. The C
source code for snoop2cap is available for download.
* For tracing things on the Microsoft Windows NT, Network Monitor (aka.
netmon) is available on the Microsoft Developer Network CD's, the
Windows NT Server install CD and the SMS CD's. The version of netmon
that somes with SMS allows for dumping packets between any two
computers (ie. placing the network interface in promiscuous mode).
The version on the NT Server install CD will only allow monitoring of
network traffic directed to the local NT box and broadcasts on the
local subnet.
------------------------------------------------------------------------
3.2. How do I install "Network Monitor" on an NT Workstation or a Windows
9x box?
Installing netmon on an NT workstation requires a couple of steps. The
following are for installing Netmon V4.00.349, which comes with Microsoft
Windows NT Server 4.0, on Microsoft WIndows NT Workstation 4.0. The
process should be similar for other version of Windows NT / Netmon. You
will need
* The Microsoft Windows NT Server 4.0 install CD.
* The Microsoft Windows NT Workstation 4.0 install CD.
Initially you will need to install "Network Monitor Tools and Agent" on the
NT Server. To do this
1. Goto Start -> Settings -> Control Panel -> Network -> Services -> Add
2. Select the "Network Monitor Tools and Agent" and click on "OK".
3. Click "OK" on the Network Control Panel.
4. Insert the Windows NT Server 4.0 install CD when prompted.
At this point the Netmon files should exist in
%SYSTEMROOT%\System32\netmon\*.* Two subdirectories exist as well,
parsers\ which conatin the necessary DLL's for parsing the netmon packet
dump, and captures\.
In order to install the Netmon tools on an NT Workstation, you wil first
need to install the "Network Monitor Agent" from the Workstation install
CD.
1. Goto Start -> Settings -> Control Panel -> Network -> Services -> Add
2. Select the "Network Monitor Agent" and click on "OK".
3. Click "OK" on the Network Control Panel.
4. Insert the Windows NT Worksatation 4.0 install CD when prompted.
Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.*
to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set permissions
as you deem appropriate for your site. You will need administrative rights
on the NT box to run netmon.
To install Netmon on a Windows 9x box
* install the network monitor agent from the Windows 9x CD
(\admin\nettools\netmon). There is a readme file located with the
netmon driver files on the CD if you need information on how to do
this.
* Copy the files from a working Netmon installation.
* Run netmon on Windows 9x :-)
------------------------------------------------------------------------
3.3. I've seen the bits on the wire, but where can I find out what it all
means?
There are many sources of information available in the form of mailing
lists, RFC's and documentation. The docs that come with the samba
distribution contain very good explanations of general SMB topics such as
browsing.
* Mailing Lists :
o samba-ntdom@samba.org <Listproc server>
This list is devoted to implementing support for "NT domains for
Unix". Archive located at http://samba.org/listproc/samba-ntdom
o samba-technical@samba.org <Listproc server>
Mailing list for normal samba development. Archive
located at http://samba.org/listproc/samba-technical
o samba@samba.org <Listproc server>
Mailing list for normal samba deployment. Archive
located at http://samba.org/listproc/samba
o CIFS@DISCUSS.MICROSOFT.COM <Listproc server>
Discussion of the CIFS ( Common Internet File System ) protocol
Archive located at
http://discuss.microsoft.com/archives/cifs.html
* URL's
o Home of Samba site http://samba.org
o Misc links to CIFS information http://samba.org/cifs/
o NT Domains for Unix http://mailhost.cb1.com/~lkcl/ntdom/
o Microsoft's main CIFS page:
http://www.microsoft.com/workshop/networking/cifs/
o FTP site for older SMB spces:
ftp://ftp.microsoft.com/developr/drg/CIFS/
* RFC's
o RFC1001 (March '87) Protocol standard for a NetBIOS service on a
TCP/UDP transport: Concepts and methods.
http://ds.internic.net/rfc/rfc1001.txt
o RFC1002 (March '87) Protocol standard for a NetBIOS service on a
TCP/UDP transport: Detailed specifications.
http://ds.internic.net/rfc/rfc1002.txt
o CIFS specifications
+ CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt
+ CIFS Remote Administration Protocol
draft-leach-cifs-rap-spec-00.txt
+ CIFS Logon and Pass Through Authentication
draft-leach-cifs-logon-spec-00.txt
+ A Common Internet File System (CIFS/1.0) Protocol
draft-leach-cifs-v1-spec-01.txt
+ CIFS Printing Specification
draft-leach-cifs-print-spec-00.txt
------------------------------------------------------------------------
3.4. I've tried all the debugging help from question 3.1 and still can't
get things working. What information should I include in my posting to the
samba-ntdom mailing list?
If you post a problem regarding setting up samba PDC support to the
samba-ntdom mailing list, please include the following information
* The date when you last checked out the main code via cvs.
* The OS and version of the server on which you are running samba.
* The relavent sections of your smb.conf file. At least the options in
[global] that affect PDC support.
* Partial log files written at a debug level of at least 20. Please
don't send the entire log but enough to give the context of the error
messages.
* If you have a complete netmon trace ( from the opening of the pipe to
the error ) you can send the *.CAP file as well.
------------------------------------------------------------------------
4.1.1. Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf?
Sometimes Windows clients will maintain a connection to the [homes] ( or
[%U] ) share even after the user has logged out. Consider the following
scenario.
* user1 logs into the Windows NT machine. Therefore the [homes] share
is set to \\server\user1.
* user1 works for a while and then logs out.
* user2 logs into the same Windows NT machine.
However, since the NT box has maintained a connection to [homes] which was
perviously set to \\server\user1, when the operating system attempts to get
the profile and if it can read users1's profile, will get it otherwise it
will return an error. You get the picture.
A better solution is to use a separate [profiles] share and set the "logon
path = \\%N\profiles\%U"
------------------------------------------------------------------------
4.1.2. Why are all the users listed in the "domain admin users" using the
same profile?
The 'domain admin users' is obselete. Please see Q4.3.1
There are several well known RIDs in Windows NT. One of these the the
admin RID which is 500. Currently samba supports domain admin users by
assigning them the Administrator RID of 500 rather than the way that normal
user RID are generated ( by 1000 to the unix uid ). The will change in the
future as more is learned about the methods to implement this and as NT
groups become supported.
The hard coded RID for domain admins can cause users to share profiles if
you are not deleting the cached copy of the of the user profile after the
user logs out.
------------------------------------------------------------------------
4.2.1. When I run command line tool "x", that tries to use a domain
account, I get the message 'No mapping between usernames and ID's was done.
The username <-> RID mapping and some related remote procedure calls are
entirely not completed.. If you get this failure, please report it and how
to reproduce it to the samba-ntdom@samba.org mailing list.
------------------------------------------------------------------------
4.2.2. I really need to include domain accounts and groups in the ACL's,
but it won't work.
Some tools will work. For example, the NT Sec tools sold by Pedastal
Software work for me. I can successfully include domain users and groups
in local file ACLs. These tools also allow you to include users and groups
in share permissions as well. However, the Windows Explorer
(explorer.exe) does not work. The cacls.exe tool that ships with Windows
NT also works?
------------------------------------------------------------------------
4.2.3. The roaming profiles do not seem to be updating on the server.
There can be several reasons for this.
* Make sure that the time on the client and the PDC are synchronized.
You can accomplish this by executing a net time \\server /set /yes
replacing server with the name of your PDC (or another synchronized
SMB server).
* Make sure that the logon path is writeable by the user and make sure
that the connection to the logon path location is by the current user.
Sometimes Windows client do not drop the connection immediately upon
logoff.
* Some people have reported that the logon path location should also be
browseable. I have yet to emperically verify this, but you can try.
------------------------------------------------------------------------
4.3.1. How do I configure an account as a domain administrator?
This has changed in the latest version of the HEAD branch. The "domain
admin users" and "domain admin group" parameters have gone away. See the
smb.conf man page for information on
* domain group map
* domain user map
* local group map
Here are some sample notes...
To put users in the "Domain Admins" group
* Choose a suitable UNIX group, for example the group "adm". Add the
following parameter to smb.conf
domain group map = /usr/local/samba/lib/domaingroup.map
* Now create /usr/local/samba/lib/domaingroup.map and add. The quotes
are necessary for group names that include spaces.
adm="Domain Admins"
* In /etc/group (or the NIS map), put any user you want to be a "Domain
Admin" in the group "adm". These users will have Domain Admin rights
on the workstations and will, for example, have Domain Admins policy
rules (ie permissions) applied to them. They can take the workstation
out of a domain, remove or edit profiles on the machine etc.
To add users to the local Administrator accounts on machines
* Add the following parameter to smb.conf
local group map = /usr/local/samba/lib/localgroup.map
* Choose a suitable unix group, for example "wheel" and add the
following entry to the loca group map file
wheel=BUILTIN\Administrators
* Then in /etc/group (or the NIS map), any users that you want to be
local administrators must
be in the group "wheel".
Now to map NT user accounts to unix accounts
* Add the following parameter to smb.conf
domain user map = /usr/local/samba/lib/domainuser.map
* In the file /usr/local/samba/lib/domainuser.map put :
root=Administrator
* Then run
smbpasswd -a root
and enter a password.
------------------------------------------------------------------------
4.3.2. I can't get system policies to work.
There are two possible reasons for system policies no functioning
correctly.
* Make sure that you have the following parameters set in smb.conf
[netlogon]
....
locking = no
public = no
browseable = yes
....
* Play with the case settings and up the debug level of smbd. See what
file the NT client is looking for. People have reported success using
NTconfig.pol, NTconfig.POL and ntconfig.pol. These are the case
settings that I use with the filename ntconfig.pol
case sensitive = no
case preserve = yes
default case = yes
------------------------------------------------------------------------
4.4.1 How do I get remote password (unix and SMB) changing working ?
Ensure you have the following in smb.conf :
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *password* %n\n *password* %n\n *successfull*
The actual value of the second and third line will vary with your system.
The passwd program will be run with root privilege so make sure the text
that you supply is correct for a root operation. The man pages suggest you
can use double quotes to 'collect strings with spaces in them'. Reports
from users indicated that this did not work well; examining the strings
being submitted indicated that the program was having trouble parsing the
string so it is better to avoid the spaces and rely on the *.
You do not need to add -DALLOW_CHANGE_PASSWORD to the makefile. Its in an
happens as root, not as the user, as is indicated in ~/smbd/chgpasswd.c If
you are using NIS, the Samba server must be running on the NIS master
machine.
------------------------------------------------------------------------
5.1 Since I don't need to buy an NT Server CD now, how do I get the "User
Manager for Domains", the "Server Manager", and the "Windows NT Policy
Editor"?
Microsoft distributes a version of these tools called nexus for
installation on Windows 95 systems. The tools set includes
* Server Manager
* User Manager for Domains
* Event Viewer
Click here to download the archived file.
The Windows NT 4.0 version of the
* User Manager for Domains
* Server Manager
are available from Microsoft via ftp. Click here to download.
Windows NT Policy Editor
To create or edit ntconfig.pol you must use the NT Server Policy Editor
(poledit.exe) which is included with NT Server but **not** NT Workstation.
Although the Windows 95 Policy Editor can be installed on an NT
Workstation/Server, it will not work with NT policies because the registry
key that are set by the policy templates.
If you need a copy of the Windows NT policy editor, one is included
with the Service Pack 3 (and 4) for Windows NT 4.0.?Extract the files
using servicepackname /x.?The policy editor (poledt.exe) and the
associated template files (*.adm) should be extracted as well.?It is also
possible to downloaded the policy template files for Office97 and get a
copy of the policy editor.?Another possible location is with the Zero
Administration Kit available for download from Microsoft.
------------------------------------------------------------------------
6.1 How do I get my samba server to become a member ( not PDC ) of an NT
domain?
Samba now supports a new value for the "security" global parameter in
smb.conf. By setting "security = domain" in the configuration file, a
samba server is able to act as a full member of an NT Domain (even if it
has a Samba server as a PDC ). The Samba box can join the NT domain, but
users must still be defined in the local /etc/passwd file. Jeremy Allison
wrote a good article for Linuxworld explaining the domain security model
support in Samba 2.0 (see lw-10-samba.html ). You should also refer to
DOMAIN_MEMBER.txt included in the Samba distribution. The "security =
domain" support is included in Samba 2.0.
Here are the steps for settings things up. When the instructions refer to
the client machine, they are speaking of the samba machine which you want
to join the NT Domain.
* First, create a machine account on the PDC for the client samba
machine. If you are doing this on a Samba PDC, then follow the
instructions in question 2.2 regarding creating the machine accounts.
If you are using an actual NT Server as the PDC, then follow normal
procedures for creating the machine account using the Server Manager.
* Now set "workgroup = <NT Domain>" and "password server = <NetBIOS name
of PDC>" in the global section of the smb.conf on the client machine
file replacing <NT Domain> and <NetBIOS name of PDC> with values
appropriate for your site.
* Start samba on the client machine. Note that the directory where the
smbpasswd file would be located should exist as this is where smbd
will generate the MACHINE.SID file.
* Finally run "smbpasswd -j <NT Domain>" on the client samba machine.
If all goes well, you will see a message saying that the samba machine
has successfully joined the <NT Domain>. This will create a file in
the same directory as MACHINE.SID, named <NT Domain>.<NetBIOS
Name>.mac which will contain the trust account password for the samba
domain member. The permissions are set to "rw-------". Do Not change
these for security reasons.
Once the Samba server has joined the NT domain, the Samba box can validate
users against the NT PDC. However, Samba will need some way of mapping the
determined user's NT RID ( relative ID ) to a valid unix uid. There are
two ways to do this. One is to use the "username map =" parameter.
The other is to create accounts for all your NT users in /etc/passwd on the
unix box. There are some scripts available to help in the migration. These
perl scripts are available for download from the /pub/samba/contributed
diretory in one of the Samba ftp mirrors. The in a tarball is named
domain_member_scripts.tar.gz.
Accounts created on the unix box are only used to get a valid uid. They
are not used for validation. You can therefore set the password field to
whatever lock string for your system is. Under most ( if not all ) versions
of unix this is the '*' character. Here is an example /etc/passwd entry.
jdoe:*:1124:100:NT Dummy account:/dev/null:/bin/False
Once you get to here, you should now be able to mount shares from the samba
server using valid domain accounts.
------------------------------------------------------------------------
This FAQ is maintained by Jerry Carter E-mail comments / suggestions
jerry@samba.org
All trademarks are the sole property of their respective owners.
--
☆ 来源:.哈工大紫丁香 bbs.hit.edu.cn.[FROM: bin@mtlab.hit.edu.cn]
Powered by KBS BBS 2.0 (http://dev.kcn.cn)
页面执行时间:607.827毫秒