autogen

[Samba/ekacnet.git] / docs / textdocs / samba-pdc-faq.txt

!==
!== samba-pdc-faq.txt for Samba release 2.2.0-alpha3 24 Mar 2001
!==

The Samba 2.2 PDC FAQ

David Bannon

   La Trobe University
     _________________________________________________________________
     _________________________________________________________________
   
   Comments, corrections and additions to <D.Bannon@samba.org>
   
     Note: Please read the Introduction for the current state of play.
     
   This is the FAQ for Samba 2.2 as an NTDomain controller. This document
   is derived from the origional FAQ that was built and maintained by
   Gerald Carter from the early days of Samba NTDomain development up
   until recently. It is now being updated as significent changes are
   made to 2.2.0.
   
   Please note it does not apply to Samba2.2alpha0, Samba2.2alpha1, Samba
   2.0.7, TNG nor HEAD branch.
   
   I'll repeat, it does not apply to the current snapshot [ftp
   mirror]:/pub/samba/alpha/samba-2.2.0-alpha1.tar.gz, only to the to the
   current cvs.
   
   Also available is a Samba 2.2 PDC HowTo that takes you, step by step,
   over the process of setting up a very basic Samba 2.2 Primary Domain
   Controller
   
   Table of Contents
   1. Introduction
          
        State of Play
        Introduction
                
   2. General Information
          
        What can we do ?
                
              What can Samba Primary Domain Controller (PDC) do ?
              Can I have a Windows 2000 client logon to a Samba
                      controlled domain?
                      
              Can a samba server join a Win2000 domain ?
              What's the status of print spool (spoolss) support in the
                      NTDOM code?
                      
        CVS
                
              What are the different Samba branches available in CVS ?
              What are the CVS commands ?
                      
   3. Establishing Connections
          
              How do I get my NT4 or W2000 Workstation to login to the
                      Samba controlled Domain?
                      
              What is a 'machine account' ?
              "The machine account for this computer either does not
                      exist or is not accessable."
                      
              How do I create machine accounts manually ?
              I cannot include a '$' in a machine name.
              I get told "You already have a connection to the
                      Domain...." when creating a machine account.
                      
              I get told "Cannot join domain, the credentials supplied
                      conflict with an existing set.."
                      
              "The system can not log you on (C000019B)...."
                      
   4. User Account Management
          
        Domain Admins
                
              How do I configure an account as a domain administrator?
                      
        Profiles
                
              Why is it bad to set "logon path = \\%N\%U\profile" in
                      smb.conf? ?
                      
              Why are all the users listed in the "domain admin users"
                      using the same profile?
                      
              The roaming profiles do not seem to be updating on the
                      server.
                      
              Is it possible to store the users profile on workstation
                      and not on server?
                      
        Policies
                
              What are 'Policies' ?.
              I can't get system policies to work.
              What about Windows NT Policy Editor ?
              Can Win95 do Policies ?
                      
        Passwords
                
              What is password sync and should I use it ?
              How do I get remote password (unix and SMB) changing
                      working ?
                      
   5. Miscellaneous
          
              How do I send a message to a PC running windows from a
                      samba server ?
                      
              What editor can I use in DOS/Windows that won't mess with
                      my unix EOF
                      
              How do I get 'User Manager' and 'Server Manager'
              Can I make my samba server a Time server too ?
              The time setting from a Samba server does not work.
              "trust account xxx should be in DOMAIN_GROUP_RID_USERS"
              How do I get my samba server to become a member ( not PDC )
                      of an NT domain?
                      
   6. Troubleshooting and Bug Reporting
          
        Diagnostic tools
                
              What are some diagnostics tools I can use to debug the
                      domain logon process and where can I find them?
                      
              How do I install 'Network Monitor' on an NT Workstation or
                      a Windows 9x box?
                      
        What other help can I get ?
                
              URLs and similar
              How do I get help from the mailing lists ?
              How do I get off the mailing lists ?
     _________________________________________________________________
   
Chapter 1. Introduction

State of Play

   It should be noted that 2.2.0 in its pre-release form still has a few
   problems, I'll try and keep this section current while things are
   still dynamic. At the time of this update (December 15, 2000) the
   current state of play is :
   
   Comments here about W2K joining the domain apply only to Samba 2.2
   from the CVS after November 27th. The 'snapshot' release
   Samba2.2alpha1 (typically obtained via FTP) does not work !!! See
   below on how to get a CVS tree.
   
   Bug ListI would really appriciate some confirmation that some of these
   bugs are fixed. I don't have a usefull test setup at present so need a
   bit of feedback.
   
   Know Bug ?There has been a suggestion that some of the problems that
   some people have experienced may be due to using gcc from RedHat 7.0.
   The alternative is to use kgcc - feedback desperatly needed !
   
   Known Bug !W2K machines will not successfully join a domain with a
   name that is made up from an even number of characters. Yep, thats
   right ! BIOTEST is OK as is MYDOMAI but MYDOMAIN will not work until
   this bug is fixed. Hmm.., we believe that this bug is fixed, but see
   below.
   
   Known Bug !After some bugs were fixed just before Christmas, W2K SP1
   machines cannot join the domain. Expected to be fixed early in the new
   year. Whats that ? yeah, samba developers have a Christmas break too !
   
   Know Bug !NTs (and possibly W2K ?) are not told the logged on user is
   a domain admin if the parameter "domain admin users = user" is used.
   The alternative, "domain admin group" does work. See the HowTo.
   
   Client Side creation of Machine accounts does work but is not
   complete. Firstly, the add user script runs as the user who's name was
   entered, not as root. Secondly, the machine name passed to the script
   (%U) has an underscore at the end, not a '$'. One alternative is to
   use %m and add the $. This method is documented in the HowTo. And
   thirdly, it does not work with NT4ws.
   
   A W2K machine can join the domain. See the HowTo which explains the
   process. The methods described are 'work arounds' and should be
   regarded as temporary. Although I (drb) have tested these procedures a
   number of people have had difficulty so there may be other issues at
   work. JFM is aware of these problems and will attend to them when he
   can.
   
   A Domain Admin account is required and at present it appears that only
   root is a suitable candidate.
   
   Much of the related code does work. For example, if an NT is removed
   from the domain and then rejoins, the Create a Computer Account in the
   Domain dialog will let you reset the smbpasswd. That is you don't need
   to do it from the unix box. However, at the present, you do need to
   have root as an administrator and use the root user name and password.
   
   Actually I'm not sure that last paragraph is correct ....
   
   Policies do work on a W2K machine. MS says that recent builds of W2K
   dont observe an NT policy but it appears it does in 'legacy' mode.
     _________________________________________________________________
   
Introduction

   This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing
   with the 'old head' version of Samba and its NTDomain facilities. It
   is being rewritten by David Bannon (drb) so that it addresses more
   accurately the Samba 2.2 planned for release late 2000.
   
   This document probably still contains some material that does not
   apply to Samba 2.2 but most (all?) of the really misleading stuff has
   been removed. Some issues are not dealt with or are dealt with badly.
   Please send corrections and additions to David Bannon at
   D.Bannon@latrobe.edu.au
   
   Hopefully, as we all become familiar with the Samba 2.2 as a PDC this
   document will become much more usefull.
     _________________________________________________________________
   
Chapter 2. General Information

What can we do ?

What can Samba Primary Domain Controller (PDC) do ?

   If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 or
   W2000 client, then you will need to obtain the 2.2.0 version,
   currently in pre-release. Release of a stable, full featured Samba PDC
   is currently slated for version 3.0.
   
   The following is a list of included features currently in Samba 2.2:
   
     * The ability to act as a limited PDC for Windows NT and W2000
       clients. This includes adding NT and W2K machines to the domain
       and authenticating users logging into the domain.
     * Domain account can be viewed using the User Manager for Domains
       ????
     * Viewing resources on the Samba PDC via the Server Manager for
       Domains from the NT client. ??
     * Windows 95 clients will allow user level security to be set but
       will not currently allow browsing of accounts.
     * Machine account password updates.
     * Changing of user passwords from an NT client.
     * Partial support for Windows NT group and username mapping.
     * Join a W2000 controlled domain. See below.
     * Support for a LDAP password database backend.
     * Printing.
       
   These things are note expected to work in the forseeable future
     * Trust relationships
     * PDC and BDC integration
     * Windows NT ACLs (on the Samba shares)
     * Offer a list of domain users to User Manager for Domains (or the
       Security Tab etc).
     _________________________________________________________________
   
Can I have a Windows 2000 client logon to a Samba controlled domain?

   The 2.2 release branch of Samba supports Windows 2000 domain clients
   in legacy mode, ie as if the PDC is a NTServer, not a W2K server.
     _________________________________________________________________
   
Can a samba server join a Win2000 domain ?

   Yes, a samba server, (2.0.7, 2.2 or Head) will join and be part of a
   Win2000 domain as long as the Win2000 PDC has NetBios and NTLMv1
   enabled. You don't need a 'mixed mode' DC unless there is also a NT4
   BDC in the domain. Samba will not particate in a 'Native Win2000'
   Active Directory controlled domain.
     _________________________________________________________________
   
What's the status of print spool (spoolss) support in the NTDOM code?

   The implementation of support for SPOOLSS pipe is complete and it will
   be available in the 2.2.0 release. This means that Samba will support
   the automatic downloading of printer drivers for Windows NT clients
   just as it currently does for Windows 9x clients.
     _________________________________________________________________
   
CVS

   CVS is a programme (publically available) that the Samba developers
   use to maintain the central source code. Non developers can get access
   to the source in a read only capacity. Many flavours of unix now
   arrive with cvs installed.
     _________________________________________________________________
   
What are the different Samba branches available in CVS ?

   You can find out more about obtaining Samba's via anonymous CVS from
   http://pserver.samba.org/samba/cvs.html".
   
   There are basically four branches to watch at the moment :
   
   HEAD
          Samba 3.0 ? This code boasts all the main development work in
          Samba. Two things that most people are not aware of which live
          in the HEAD branch code are winbind NSS module and Tim Potter's
          VFS implementation. Due to its developmental nature, its not
          really suitable for production work.
          
   SAMBA_2_0
          This branch contains the current stable release release. At the
          moment it contains 2.0.7, a version that will do some limited
          PDC stuff. If you are really going to do PDC things then I
          (drb) suggest that you consider 2.2 instead.
          
   SAMBA_2_2
          The next stable release, currently in a 'alpha' form. It
          provides the Samba developers, testers and interested people
          with an approximation of what is to come. This document
          addresses only SAMBA_2_2.
          
   SAMBA_TNG
          This branch is no longer maintained from the Samba sites.
          Please see http://www.samba-tng.org/. It has been requested
          that questions about TNG are not posted to the regular Samba
          mailing lists including samba-ntdom and samba-technical.
     _________________________________________________________________
   
What are the CVS commands ?

   See http://pserver.samba.org/samba/cvs.html
   
   To get the Samba 2.2 version, tag SAMBA_2_2 you would do :
     * For example : cd /usr/local/src/
     * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
     * When prompted enter a password of cvs
     * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot co -r SAMBA_2_2
       samba
       
   Then to update that directory at some later time,
     * cd /usr/local/src/samba
     * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
     * When prompted enter a password of 'cvs'.
     * cvs update -d -P
     _________________________________________________________________
   
Chapter 3. Establishing Connections

How do I get my NT4 or W2000 Workstation to login to the Samba controlled
Domain?

   There is a comprehensive Samba PDC HowTo accessable from the samba web
   site under 'Documentation'. Its currently located at
   http://bioserve.latrobe.edu.au/samba. Read it.
     _________________________________________________________________
   
What is a 'machine account' ?

   Every NT, W2K or Samba machine that joins a Samba controlled domain
   must be known to the Samba PDC. There are two entries required, one in
   (typically) /etc/passwd and the other in (typically)
   /usr/local/samba/private/smbpasswd. Under some circumstances these
   entries are made manually, the HowTo discusses ways of creating them
   automatically.
     _________________________________________________________________
   
"The machine account for this computer either does not exist or is not
accessable."

   When I try to join the domain I get the message "The machine account
   for this computer either does not exist or is not accessable". Whats
   wrong ?
   
   This problem is caused by the PDC not having a suitable machine
   account. If you are using the add user script = method to create
   accounts then this would indicate that it has not worked. Ensure the
   domain admin user system is working.
   
   Alternatively if you are creating account entries manually then they
   have not been created correctly. Make sure that you have the entry
   correct for the machine account in smbpasswd file on the Samba PDC. If
   you added the account using an editor rather than using the smbpasswd
   utility, make sure that the account name is the machine netbios name
   with a '$' appended to it ( ie. computer_name$ ). There must be an
   entry in both /etc/passwd and the smbpasswd file. Some people have
   reported that inconsistent subnet masks between the Samba server and
   the NT client have caused this problem. Make sure that these are
   consistent for both client and server.
     _________________________________________________________________
   
How do I create machine accounts manually ?

   This was the only option until recently, now in version 2.2 better
   means are available. You might still need to do it manually for a
   couple of reasons. A machine account consists of two entries (assuming
   a standard install and /etc/passwd use), one in /etc/passwd and the
   other in /usr/local/samba/private/smbpasswd. The /etc/passwd entry
   will list the machine name with a $ appended, won't have a passwd,
   will have a null shell and no home directory. For example a machine
   called 'doppy' would have an /etc/passwd entry like this :
   
   doppy$:x:505:501:NTMachine:/dev/null:/bin/false
   
   On a linux system for example, you would typically add it like this :
   
   adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n doppy$
   
   Then you need to add that entry to smbpasswd, assuming you have a
   suitable path to the smbpasswd programme, do this :
   
   smbpasswd -a -m doppy$
   
   The entry will be created with a well known password, so any machine
   that says its doppy could join the domain as long as it gets in first.
   So don't create the accounts any earlier than you need them.
     _________________________________________________________________
   
I cannot include a '$' in a machine name.

   A 'machine name' in (typically) /etc/passwd consists of the machine
   name with a '$' appended. FreeBSD (and other BSD systems ?) won't
   create a user with a '$' in their name.
   
   The problem is only in the program used to make the entry, once made,
   it works perfectly. So create a user without the '$' and use vipw to
   edit the entry, adding the '$'. Or create the whole entry with vipw if
   you like, make sure you use a unique uid !
     _________________________________________________________________
   
I get told "You already have a connection to the Domain...." when creating a
machine account.

   This happens if you try to create a machine account from the machine
   itself and use a user name that does not work (for whatever reason)
   and then try another (possibly valid) user name. Exit out of the
   network applet to close the initial connection and try again.
   
   Further, if the machine is a already a 'member of a workgroup' that is
   the same name as the domain you are joining (bad idea) you will get
   this message. Change the workgroup name to something else, it does not
   matter what, reboot, and try again.
     _________________________________________________________________
   
I get told "Cannot join domain, the credentials supplied conflict with an
existing set.."

   This is the same basic problem as mentioned above, "You already have a
   connection..."
     _________________________________________________________________
   
"The system can not log you on (C000019B)...."

   I joined the domain successfully but after upgrading to a newer
   version of the Samba code I get the message, "The system can not log
   you on (C000019B), Please try a gain or consult your system
   administrator" when attempting to logon.
   
   This occurs when the domain SID stored in private/WORKGROUP.SID is
   changed. For example, you remove the file and smbd automatically
   creates a new one. Or you are swapping back and forth between versions
   2.0.7, TNG and the HEAD branch code (not recommended). The only way to
   correct the problem is to restore the original domain SID or remove
   the domain client from the domain and rejoin.
     _________________________________________________________________
   
Chapter 4. User Account Management

Domain Admins

How do I configure an account as a domain administrator?

   See the NTDom HowTo.
     _________________________________________________________________
   
Profiles

Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?

   Sometimes Windows clients will maintain a connection to the \\homes\ (
   or [%U] ) share even after the user has logged out. Consider the
   following scenario.
   
     * user1 logs into the Windows NT machine. Therefore the [homes]
       share is set to \\server\user1.
     * user1 works for a while and then logs out.
     * user2 logs into the same Windows NT machine.
       
   However, since the NT box has maintained a connection to [homes] which
   was previously set to \\server\user1, when the operating system
   attempts to get the profile and if it can read users1's profile, will
   get it otherwise it will return an error. You get the picture.
   
   A better solution is to use a separate [profiles] share and set the
   "logon path = \\%N\profiles\%U"
   
     Note: Is this still a problem ????
     _________________________________________________________________
   
Why are all the users listed in the "domain admin users" using the same
profile?

   You are using a very very old development version of Samba. Upgrade.
     _________________________________________________________________
   
The roaming profiles do not seem to be updating on the server.

   There can be several reasons for this.
   
   Make sure that the time on the client and the PDC are synchronized.
   You can accomplish this by executing a net time \\server /set /yes
   replacing server with the name of your PDC (or another synchronized
   SMB server). See about Setting Time
   
   Make sure that the logon path is writeable by the user and make sure
   that the connection to the logon path location is by the current user.
   Sometimes Windows client do not drop the connection immediately upon
   logoff.
   
   Some people have reported that the logon path location should also be
   browseable. I (GC) have yet to emperically verify this, but you can
   try.
     _________________________________________________________________
   
Is it possible to store the users profile on workstation and not on server?

   Hergen Lange suggested that for 2.0.7 you can set logon drive = , ie
   to blank. Can someone confirm this works in 2.2 ? Other wise, use the
   registery settings (perhaps via policies) to not save profiles on the
   server.
     _________________________________________________________________
   
Policies

What are 'Policies' ?.

   When a user logs onto the domain via a client machine, the PDC sends
   the client machine a list of things contained in the 'policy' (if it
   exists). This list may do things like suppress a splach screen, format
   the dates the way you like them or perhaps remove locally stored
   profiles.
   
   On a samba PDC this list is obtained from a file called ntconfig.pol
   and located in the [netlogon]share. The file is created with a policy
   editor and must be readable by anyone and writeable by only root. See
   below for how to get a suitable editor.
     _________________________________________________________________
   
I can't get system policies to work.

   There are two possible reasons for system policies not functioning
   correctly. Make sure that you have the following parameters set in
   smb.conf
        [netlogon]
        ....
        locking = no
        public = no
        browseable = yes
        ....


   A policy file must be in the [netlogon] share and must be readable by
   everyone and writeable by only root. The file must be created by an
   NTServer Policy Editor.
   
   Last time I (drb) looked in the source, it was looking for
   ntconfig.pol first then several other combinations of upper and lower
   case. People have reported success using NTconfig.pol, NTconfig.POL
   and ntconfig.pol. These are the case settings that I (GC) use with the
   filename ntconfig.pol
        case sensitive = no
        case preserve = yes
        default case = yes

     _________________________________________________________________
   
What about Windows NT Policy Editor ?

   To create or edit ntconfig.pol you must use the NT Server Policy
   Editor, poledit.exe which is included with NT Server but not NT
   Workstation. There is a Policy Editor on a NTws but it is not suitable
   for creating Domain Policies. Further, although the Windows 95 Policy
   Editor can be installed on an NT Workstation/Server, it will not work
   with NT policies because the registry key that are set by the policy
   templates. However, the files from the NT Server will run happily
   enough on an NTws. You need poledit.exe, common.adm and winnt.adm. It
   is convenient to put the two *.adm files in c:\winnt\inf which is
   where the binary will look for them unless told otherwise. Note also
   that that directory is 'hidden'.
   
   The Windows NT policy editor is also included with the Service Pack 3
   (and later) for Windows NT 4.0. Extract the files using
   servicepackname /x, ie thats Nt4sp6ai.exe /x for service pack 6a. The
   policy editor, poledt.exe and the associated template files (*.adm)
   should be extracted as well. It is also possible to downloaded the
   policy template files for Office97 and get a copy of the policy
   editor. Another possible location is with the Zero Administration Kit
   available for download from Microsoft.
     _________________________________________________________________
   
Can Win95 do Policies ?

   Install the group policy handler for Win9x to pick up group policies.
   Look on the Win98 CD in \tools\reskit\netadmin\poledit. Install group
   policies on a Win9x client by double-clicking grouppol.inf. Log off
   and on again a couple of times and see if Win98 picks up group
   policies. Unfortunately this needs to be done on every Win9x machine
   that uses group policies....
   
   If group policies don't work one reports suggests getting the updated
   (read: working) grouppol.dll for Windows 9x. The group list is grabbed
   from /etc/group.
     _________________________________________________________________
   
Passwords

What is password sync and should I use it ?

   NTws users can change their domain password by pressing Ctrl-Alt-Del
   and choosing 'Change Password'. By default however, this does not
   change the unix password (typically in /etc/passwd or /etc/shadow). In
   lots of situations thats OK, for example :
   
     * The server is only accessible to the user via samba.
     * Pam_smb or similar is installed so other applications still refer
       to the samba password.
       
   But sometimes you really do need to maintain two seperate password
   databases and there are good reasons to keep then in sync. Trying to
   explain to users that they need to change their passwords in two
   seperate places or use two seperate passwords is not fun.
   
   However do understand that setting up password sync is not without
   problems either. The chief difficulty is the interface between Samba
   and the passwd command, it can be a fiddle to set up and if the
   password the user has entered fails, the resulting errors are
   ambiguously reported and the user is confused. Further, you need to
   take steps to ensure that users only ever change their passwords via
   samba (or use smbpasswd), otherwise they will only be changing the
   unix password.
     _________________________________________________________________
   
How do I get remote password (unix and SMB) changing working ?

   Have a practice changing a user's password (as root) to see what
   discussion takes place and change the text in the 'passwd chat' line
   below as necessary. The line as shown works for recent RH Linux but
   most other systems seem to like to do something different. The '*' is
   a wild card and will match anything (or nothing).
   
   Add these lines to smb.conf under [Global]


                unix password sync = true
                passwd program = /usr/bin/passwd %u
                passwd chat = *password* %n\n *password* %n\n *successful*
        
   As mentioned above, the change to the unix password happens as root,
   not as the user, as is indicated in ~/smbd/chgpasswd.c If you are
   using NIS, the Samba server must be running on the NIS master machine.
     _________________________________________________________________
   
Chapter 5. Miscellaneous

How do I send a message to a PC running windows from a samba server ?

   echo "message" | smbclient -M PC_NETBIOS_NAME_HERE -U "from" -I "to"
   The limit on message length is 1600 characters. -U and -I are optional
   and purely cosmetic.[Time Cole]
   
   Although this will always work with NTs and W2K, W95/98 require
   Winpopup (or something similar) to be running.
     _________________________________________________________________
   
What editor can I use in DOS/Windows that won't mess with my unix EOF

   There are a number of Windows or DOS based editors that will
   understand, and leave intact, the unix eof (as opposed to a DOS
   CL/LF). List members suggested :
   
     * UltraEdit at www.ultraedit.com
     * VI for windows at home.snafu.de/ramo/WinViEn.htm
     * The author prefers PFE at www.lancs.ac.uk/people/cpaap/pfe/ but
       its no longer being developed...
     _________________________________________________________________
   
How do I get 'User Manager' and 'Server Manager'

   Since I don't need to buy an NT Server CD now, how do I get the 'User
   Manager for Domains', the 'Server Manager' ?
   
   Microsoft distributes a version of these tools called nexus for
   installation on Windows 95 systems. The tools set includes
     * Server Manager
     * User Manager for Domains
     * Event Viewer
       
   Click here to download the archived file
   ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE
   
   The Windows NT 4.0 version of the 'User Manager for Domains' and
   'Server Manager' are available from Microsoft via ftp from
   ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE
     _________________________________________________________________
   
Can I make my samba server a Time server too ?

   Yep, add a line to smb.conf time server = True under the Global
   section. Then Windows machines can use it to set the time with a
   command like net time \\server_name /set /yes. NTs and W2K machines
   will have to have been told to allow ordinary users to change the
   system time/date. See next item.
     _________________________________________________________________
   
The time setting from a Samba server does not work.

   If it works OK when you log on as Domain Admin then the problem is
   that ordinary users don't have permission to change the time. (The
   system is running with their permission at logon time.) This is not a
   Samba problem, you will have the same problem where ever you connect.
   You can give 'everyone' permission to change the time from the User
   Manager.
   
   Anyone know what the registry settings are so this could be done with
   a Policy ?
     _________________________________________________________________
   
"trust account xxx should be in DOMAIN_GROUP_RID_USERS"

   I keep getting the message "trust account xxx should be in
   DOMAIN_GROUP_RID_USERS." in the logs. What do I need to do?
   
   You are using one of the old development versions. Upgrade. (The
   message is unimportant, was a reminder to a developer)
     _________________________________________________________________
   
How do I get my samba server to become a member ( not PDC ) of an NT domain?

   In a domain that has a number of servers you only need one password
   database. The machines that don't have their own ask the PDC to check
   for them. This will work fine for a domain controlled by either a
   Samba or NT machine. The following lines in smb.conf are typical,
   'password server' points to the samba machine (or an NT) that has the
   password list :


                [global]
                ...
                security = domain
                workgroup = { Put your domain name here }
                password server = { Put the ip of the PDC here }
                encrypt passwords = yes
                ...
        
   The samba server in question will have to 'join the domain', that
   requires the domain controller to have a machine account for it. This
   is no different to the machine account requirements to allow a NTws to
   join the domain. For example, if we want a unix box called sleepy to
   ask the PDC called grumpy to do its authentication then grumpy will
   need an entry in its smbpasswd (assuming it's also samba) that starts
   with sleepy$. It would have to be created manually.
   
   If the domain is controlled by an NTServer then the "Server Manager
   for Domains" tool must be used to add 'sleepy' to the domain list.
   
   In either case we then join the domain. If the domain is called forest
   then on sleepy we would join the domain by typing :
   
   smbpasswd -j forest
   
   Note that the directory where the smbpasswd file would be located
   should exist as this is where smbd will generate the MACHINE.SID file.
   This might be /usr/local/samba/private/FOREST.SLEEPY.SID and it
   contains the trust account password for the domain member. The
   permissions are (and should remain) "rw-------
   
   Note the Samba Servers without the password list will most likely
   still need an account for each user, this means a line in its
   /etc/passwd. Because authentication is being handled at the domain
   level the /etc/passwd line does not need a password. If the shares
   being offered are not user specific, ie a common (read only ?) area or
   perhaps just printing then the user's /etc/passwd does not need a home
   directory. A typical line in /etc/passwd for a server that allows
   domain users to connect to the samba shares but does not offer a home
   share ('cos that's on the PDC) and does not allow logon to the unix
   prompt would be like this :
jblow:x:542:100:Joe Blow:/dev/null:/bin/false

     * When removing those 'dummy' users, watch the 'remove user'
       scripts, some OS think they should remove a users directory even
       when its not owned by the user !
     * The username map = parameter might help you to avoid having all
       those accounts created.
     * You should investigate the smb.conf parameter 'add user script',
       it will be used to create accounts on secondary servers when that
       account already exists on the PDC. Very nice. Something like :
    [Global]
    ....
    add user script = /usr/sbin/adduser -n -g users -c User -d /dev/null -s /bi
n/false %U
    ....
     _________________________________________________________________
   
Chapter 6. Troubleshooting and Bug Reporting

Diagnostic tools

What are some diagnostics tools I can use to debug the domain logon process
and where can I find them?

   One of the best diagnostic tools for debugging problems is Samba
   itself. You can use the -d option for both smbd and nmbd to specifiy
   what 'debug level' at which to run. See the man pages on smbd, nmbd
   and smb.conf for more information on debugging options. The debug
   level can range from 1 (the default) to around 100 but a debug level
   of about 20 will normally help you find any errors that samba is
   encountering. Another helpful method of debugging is to compile samba
   using the gcc -g flag. This will include debug information in the
   binaries and allow you to attch gdb to the running smbd / nmbd
   process. In order to attach gdb to an smbd process for an NT
   workstation, first get the workstation to make the connection.
   Pressing ctrl-alt-delete and going down to the domain box is
   sufficient (at least, on the first time you join the domain) to
   generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
   maintains an open connection, and therefore there will be an smbd
   process running (assuming that you haven't set a really short smbd
   idle timeout) So, in between pressing ctrl alt delete, and actually
   typing in your password, you can gdb attach and continue.
   
   Some usefull samba commands worth investigating:
     * testparam | more
     * smbclient -L //{netbios name of server}
       
   An SMB enabled version of tcpdump is available from
   ftp://samba.org/pub/samba/tcpdump-smb/ 
   
   Capconvert is a small C program for translating output from
   tcpdump-smb to CAP format that can be read by netmon. You will need to
   use the raw output from tcp dump ( ie. tcpdump -w output.dump ). Good
   news! Now you can convert Solaris' snoop output as well. The C source
   code for snoop2cap is available for download.
   
   For tracing things on the Microsoft Windows NT, Network Monitor (aka.
   netmon) is available on the Microsoft Developer Network CD's, the
   Windows NT Server install CD and the SMS CD's. The version of netmon
   that ships with SMS allows for dumping packets between any two
   computers (ie. placing the network interface in promiscuous mode). The
   version on the NT Server install CD will only allow monitoring of
   network traffic directed to the local NT box and broadcasts on the
   local subnet.
     _________________________________________________________________
   
How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?

   Installing netmon on an NT workstation requires a couple of steps. The
   following are for installing Netmon V4.00.349, which comes with
   Microsoft Windows NT Server 4.0, on Microsoft Windows NT Workstation
   4.0. The process should be similar for other version of Windows NT /
   Netmon. You will need both the Microsoft Windows NT Server 4.0 Install
   CD and the Workstation 4.0 Install CD.
   
   Initially you will need to install 'Network Monitor Tools and Agent'
   on the NT Server. To do this
   
     * Goto Start - Settings - Control Panel - Network - Services - Add
     * Select the 'Network Monitor Tools and Agent' and click on 'OK'.
     * Click 'OK' on the Network Control Panel.
     * Insert the Windows NT Server 4.0 install CD when prompted.
       
   At this point the Netmon files should exist in
   %SYSTEMROOT%\System32\netmon\*.*. Two subdirectories exist as well,
   parsers\ which contains the necessary DLL's for parsing the netmon
   packet dump, and captures\.
   
   In order to install the Netmon tools on an NT Workstation, you will
   first need to install the 'Network Monitor Agent' from the Workstation
   install CD.
   
     * Goto Start - Settings - Control Panel - Network - Services - Add
     * Select the 'Network Monitor Agent' and click on 'OK'.
     * Click 'OK' on the Network Control Panel.
     * Insert the Windows NT Workstation 4.0 install CD when prompted.
       
   Now copy the files from the NT Server in
   %SYSTEMROOT%\System32\netmon\*.* to %SYSTEMROOT%\System32\netmon\*.*
   on the Workstation and set permissions as you deem appropriate for
   your site. You will need administrative rights on the NT box to run
   netmon.
   
   To install Netmon on a Windows 9x box install the network monitor
   agent from the Windows 9x CD (\admin\nettools\netmon). There is a
   readme file located with the netmon driver files on the CD if you need
   information on how to do this. Copy the files from a working Netmon
   installation.
     _________________________________________________________________
   
What other help can I get ?

   There are many sources of information available in the form of mailing
   lists, RFC's and documentation. The docs that come with the samba
   distribution contain very good explanations of general SMB topics such
   as browsing.
     _________________________________________________________________
   
URLs and similar

     * Home of Samba site http://samba.org. We have a mirror near you !
     * The Development document on the Samba mirrors might mention your
       problem. If so, it might mean that the developers are working on
       it.
     * Ignacio Coupeau has a very comprehesive look at LDAP with Samba at
       http://www.unav.es/cti/ldap-smb-howto.html Be a little carefull
       however, I suspect that it does not specificly address samba
       2.2.x. The HEAD pre-2.1 may possibly be the best stream to look
       at.
     * Lars Kneschke's site covers Samba-TNG at
       http://www.kneschke.de/projekte/samba_tng, but again, a lot of it
       does not apply to the main stream Samba.
     * See how Scott Merrill simulates a BDC behaviour at
       http://www.skippy.net/linux/smb-howto.html.
     * Although 2.0.7 has almost had its day as a PDC, I (drb) will keep
       the 2.0.7 PDC pages at http://bioserve.latrobe.edu.au/samba going
       for a while yet.
     * Misc links to CIFS information http://samba.org/cifs/
     * NT Domains for Unix http://mailhost.cb1.com/~lkcl/ntdom/
     * FTP site for older SMB specs:
       ftp://ftp.microsoft.com/developr/drg/CIFS/
       
   There are a number of documents that no longer appear to live at their
   origional home. Any one know where the following may be found ?
     * CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt
     * CIFS Remote Administration Protocol
       draft-leach-cifs-rap-spec-00.txt
     * CIFS Logon and Pass Through Authentication
       draft-leach-cifs-logon-spec-00.txt
     * A Common Internet File System (CIFS/1.0) Protocol
       draft-leach-cifs-v1-spec-01.txt
     * CIFS Printing Specification draft-leach-cifs-print-spec-00.txt
     * RFC1001 (March '87) Protocol standard for a NetBIOS service on a
       TCP/UDP transport: Concepts and methods.
       http://ds.internic.net/rfc/rfc1001.txt
     * RFC1002 (March '87) Protocol standard for a NetBIOS service on a
       TCP/UDP transport: Detailed specifications.
       http://ds.internic.net/rfc/rfc1002.txt
     * Microsoft's main CIFS page:
       http://www.microsoft.com/workshop/networking/cifs/
     _________________________________________________________________
   
How do I get help from the mailing lists ?

   There are a number of Samba related mailing lists. Go to
   http://samba.org, click on your nearest mirror and then click on
   Support and then click on Samba related mailing lists.
   
   For questions relating to Samba TNG go to http://www.samba-tng.org/ It
   has been requested that you don't post questions about Samba-TNG to
   the main stream Samba lists.
   
   If you post a message to one of the lists please observe the following
   guide lines :
     * Always remember that the developers are volunteers, they are not
       paid and they never guarantee to produce a particular feature at a
       particular time. Any time lines are 'best guess' and nothing more.
     * Always mention what version of samba you are using and what
       operating system its running under. You should probably list the
       relevant sections of your smb.conf file, at least the options in
       [global] that affect PDC support.
     * In addition to the version, if you obtained Samba via CVS mention
       the date when you last checked it out.
     * Try and make your question clear and brief, lots of long,
       convoluted questions get deleted before they are completely read !
       Don't post html encoded messages (if you can select colour or font
       size its html).
     * If you run one of those niffy 'I'm on holidays' things when you
       are away, make sure its configured to not answer mailing lists.
     * Don't cross post. Work out which is the best list to post to and
       see what happens, ie don't post to both samba-ntdom and
       samba-technical. Many people active on the lists subscribe to more
       than one list and get annoyed to see the same message two or more
       times. Often someone will see a message and thinking it would be
       better dealt with on another, will forward it on for you.
     * You might include partial log files written at a debug level set
       to as much as 20. Please don't send the entire log but enough to
       give the context of the error messages.
     * (Possibly) If you have a complete netmon trace ( from the opening
       of the pipe to the error ) you can send the *.CAP file as well.
     * Please think carefully before attaching a document to an email.
       Consider pasting the relevant parts into the body of the message.
       The samba mailing lists go to a huge number of people, do they all
       need a copy of your smb.conf in their attach directory ?
     _________________________________________________________________
   
How do I get off the mailing lists ?

   To have your name removed from a samba mailing list, go to the same
   place you went to to get on it. Go to http://samba.org, click on your
   nearest mirror and then click on Support and then click on Samba
   related mailing lists. Or perhaps see here
   
   Please don't post messages to the list asking to be removed, you will
   just be refered to the above address (unless that process failed in
   some way...)