2 !== samba-pdc-faq.txt for Samba release 2.2.0-alpha3 24 Mar 2001
10 _________________________________________________________________
11 _________________________________________________________________
13 Comments, corrections and additions to <D.Bannon@samba.org>
15 Note: Please read the Introduction for the current state of play.
17 This is the FAQ for Samba 2.2 as an NTDomain controller. This document
18 is derived from the origional FAQ that was built and maintained by
19 Gerald Carter from the early days of Samba NTDomain development up
20 until recently. It is now being updated as significent changes are
23 Please note it does not apply to Samba2.2alpha0, Samba2.2alpha1, Samba
24 2.0.7, TNG nor HEAD branch.
26 I'll repeat, it does not apply to the current snapshot [ftp
27 mirror]:/pub/samba/alpha/samba-2.2.0-alpha1.tar.gz, only to the to the
30 Also available is a Samba 2.2 PDC HowTo that takes you, step by step,
31 over the process of setting up a very basic Samba 2.2 Primary Domain
40 2. General Information
44 What can Samba Primary Domain Controller (PDC) do ?
45 Can I have a Windows 2000 client logon to a Samba
48 Can a samba server join a Win2000 domain ?
49 What's the status of print spool (spoolss) support in the
54 What are the different Samba branches available in CVS ?
55 What are the CVS commands ?
57 3. Establishing Connections
59 How do I get my NT4 or W2000 Workstation to login to the
60 Samba controlled Domain?
62 What is a 'machine account' ?
63 "The machine account for this computer either does not
64 exist or is not accessable."
66 How do I create machine accounts manually ?
67 I cannot include a '$' in a machine name.
68 I get told "You already have a connection to the
69 Domain...." when creating a machine account.
71 I get told "Cannot join domain, the credentials supplied
72 conflict with an existing set.."
74 "The system can not log you on (C000019B)...."
76 4. User Account Management
80 How do I configure an account as a domain administrator?
84 Why is it bad to set "logon path = \\%N\%U\profile" in
87 Why are all the users listed in the "domain admin users"
88 using the same profile?
90 The roaming profiles do not seem to be updating on the
93 Is it possible to store the users profile on workstation
98 What are 'Policies' ?.
99 I can't get system policies to work.
100 What about Windows NT Policy Editor ?
101 Can Win95 do Policies ?
105 What is password sync and should I use it ?
106 How do I get remote password (unix and SMB) changing
111 How do I send a message to a PC running windows from a
114 What editor can I use in DOS/Windows that won't mess with
117 How do I get 'User Manager' and 'Server Manager'
118 Can I make my samba server a Time server too ?
119 The time setting from a Samba server does not work.
120 "trust account xxx should be in DOMAIN_GROUP_RID_USERS"
121 How do I get my samba server to become a member ( not PDC )
124 6. Troubleshooting and Bug Reporting
128 What are some diagnostics tools I can use to debug the
129 domain logon process and where can I find them?
131 How do I install 'Network Monitor' on an NT Workstation or
134 What other help can I get ?
137 How do I get help from the mailing lists ?
138 How do I get off the mailing lists ?
139 _________________________________________________________________
141 Chapter 1. Introduction
145 It should be noted that 2.2.0 in its pre-release form still has a few
146 problems, I'll try and keep this section current while things are
147 still dynamic. At the time of this update (December 15, 2000) the
148 current state of play is :
150 Comments here about W2K joining the domain apply only to Samba 2.2
151 from the CVS after November 27th. The 'snapshot' release
152 Samba2.2alpha1 (typically obtained via FTP) does not work !!! See
153 below on how to get a CVS tree.
155 Bug ListI would really appriciate some confirmation that some of these
156 bugs are fixed. I don't have a usefull test setup at present so need a
159 Know Bug ?There has been a suggestion that some of the problems that
160 some people have experienced may be due to using gcc from RedHat 7.0.
161 The alternative is to use kgcc - feedback desperatly needed !
163 Known Bug !W2K machines will not successfully join a domain with a
164 name that is made up from an even number of characters. Yep, thats
165 right ! BIOTEST is OK as is MYDOMAI but MYDOMAIN will not work until
166 this bug is fixed. Hmm.., we believe that this bug is fixed, but see
169 Known Bug !After some bugs were fixed just before Christmas, W2K SP1
170 machines cannot join the domain. Expected to be fixed early in the new
171 year. Whats that ? yeah, samba developers have a Christmas break too !
173 Know Bug !NTs (and possibly W2K ?) are not told the logged on user is
174 a domain admin if the parameter "domain admin users = user" is used.
175 The alternative, "domain admin group" does work. See the HowTo.
177 Client Side creation of Machine accounts does work but is not
178 complete. Firstly, the add user script runs as the user who's name was
179 entered, not as root. Secondly, the machine name passed to the script
180 (%U) has an underscore at the end, not a '$'. One alternative is to
181 use %m and add the $. This method is documented in the HowTo. And
182 thirdly, it does not work with NT4ws.
184 A W2K machine can join the domain. See the HowTo which explains the
185 process. The methods described are 'work arounds' and should be
186 regarded as temporary. Although I (drb) have tested these procedures a
187 number of people have had difficulty so there may be other issues at
188 work. JFM is aware of these problems and will attend to them when he
191 A Domain Admin account is required and at present it appears that only
192 root is a suitable candidate.
194 Much of the related code does work. For example, if an NT is removed
195 from the domain and then rejoins, the Create a Computer Account in the
196 Domain dialog will let you reset the smbpasswd. That is you don't need
197 to do it from the unix box. However, at the present, you do need to
198 have root as an administrator and use the root user name and password.
200 Actually I'm not sure that last paragraph is correct ....
202 Policies do work on a W2K machine. MS says that recent builds of W2K
203 dont observe an NT policy but it appears it does in 'legacy' mode.
204 _________________________________________________________________
208 This FAQ was origionally compiled by Jerry Carter (gc) chiefly dealing
209 with the 'old head' version of Samba and its NTDomain facilities. It
210 is being rewritten by David Bannon (drb) so that it addresses more
211 accurately the Samba 2.2 planned for release late 2000.
213 This document probably still contains some material that does not
214 apply to Samba 2.2 but most (all?) of the really misleading stuff has
215 been removed. Some issues are not dealt with or are dealt with badly.
216 Please send corrections and additions to David Bannon at
217 D.Bannon@latrobe.edu.au
219 Hopefully, as we all become familiar with the Samba 2.2 as a PDC this
220 document will become much more usefull.
221 _________________________________________________________________
223 Chapter 2. General Information
227 What can Samba Primary Domain Controller (PDC) do ?
229 If you wish to have Samba act as a PDC for Windows NT 3.51.and 4.0 or
230 W2000 client, then you will need to obtain the 2.2.0 version,
231 currently in pre-release. Release of a stable, full featured Samba PDC
232 is currently slated for version 3.0.
234 The following is a list of included features currently in Samba 2.2:
236 * The ability to act as a limited PDC for Windows NT and W2000
237 clients. This includes adding NT and W2K machines to the domain
238 and authenticating users logging into the domain.
239 * Domain account can be viewed using the User Manager for Domains
241 * Viewing resources on the Samba PDC via the Server Manager for
242 Domains from the NT client. ??
243 * Windows 95 clients will allow user level security to be set but
244 will not currently allow browsing of accounts.
245 * Machine account password updates.
246 * Changing of user passwords from an NT client.
247 * Partial support for Windows NT group and username mapping.
248 * Join a W2000 controlled domain. See below.
249 * Support for a LDAP password database backend.
252 These things are note expected to work in the forseeable future
253 * Trust relationships
254 * PDC and BDC integration
255 * Windows NT ACLs (on the Samba shares)
256 * Offer a list of domain users to User Manager for Domains (or the
258 _________________________________________________________________
260 Can I have a Windows 2000 client logon to a Samba controlled domain?
262 The 2.2 release branch of Samba supports Windows 2000 domain clients
263 in legacy mode, ie as if the PDC is a NTServer, not a W2K server.
264 _________________________________________________________________
266 Can a samba server join a Win2000 domain ?
268 Yes, a samba server, (2.0.7, 2.2 or Head) will join and be part of a
269 Win2000 domain as long as the Win2000 PDC has NetBios and NTLMv1
270 enabled. You don't need a 'mixed mode' DC unless there is also a NT4
271 BDC in the domain. Samba will not particate in a 'Native Win2000'
272 Active Directory controlled domain.
273 _________________________________________________________________
275 What's the status of print spool (spoolss) support in the NTDOM code?
277 The implementation of support for SPOOLSS pipe is complete and it will
278 be available in the 2.2.0 release. This means that Samba will support
279 the automatic downloading of printer drivers for Windows NT clients
280 just as it currently does for Windows 9x clients.
281 _________________________________________________________________
285 CVS is a programme (publically available) that the Samba developers
286 use to maintain the central source code. Non developers can get access
287 to the source in a read only capacity. Many flavours of unix now
288 arrive with cvs installed.
289 _________________________________________________________________
291 What are the different Samba branches available in CVS ?
293 You can find out more about obtaining Samba's via anonymous CVS from
294 http://pserver.samba.org/samba/cvs.html".
296 There are basically four branches to watch at the moment :
299 Samba 3.0 ? This code boasts all the main development work in
300 Samba. Two things that most people are not aware of which live
301 in the HEAD branch code are winbind NSS module and Tim Potter's
302 VFS implementation. Due to its developmental nature, its not
303 really suitable for production work.
306 This branch contains the current stable release release. At the
307 moment it contains 2.0.7, a version that will do some limited
308 PDC stuff. If you are really going to do PDC things then I
309 (drb) suggest that you consider 2.2 instead.
312 The next stable release, currently in a 'alpha' form. It
313 provides the Samba developers, testers and interested people
314 with an approximation of what is to come. This document
315 addresses only SAMBA_2_2.
318 This branch is no longer maintained from the Samba sites.
319 Please see http://www.samba-tng.org/. It has been requested
320 that questions about TNG are not posted to the regular Samba
321 mailing lists including samba-ntdom and samba-technical.
322 _________________________________________________________________
324 What are the CVS commands ?
326 See http://pserver.samba.org/samba/cvs.html
328 To get the Samba 2.2 version, tag SAMBA_2_2 you would do :
329 * For example : cd /usr/local/src/
330 * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
331 * When prompted enter a password of cvs
332 * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot co -r SAMBA_2_2
335 Then to update that directory at some later time,
336 * cd /usr/local/src/samba
337 * cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
338 * When prompted enter a password of 'cvs'.
340 _________________________________________________________________
342 Chapter 3. Establishing Connections
344 How do I get my NT4 or W2000 Workstation to login to the Samba controlled
347 There is a comprehensive Samba PDC HowTo accessable from the samba web
348 site under 'Documentation'. Its currently located at
349 http://bioserve.latrobe.edu.au/samba. Read it.
350 _________________________________________________________________
352 What is a 'machine account' ?
354 Every NT, W2K or Samba machine that joins a Samba controlled domain
355 must be known to the Samba PDC. There are two entries required, one in
356 (typically) /etc/passwd and the other in (typically)
357 /usr/local/samba/private/smbpasswd. Under some circumstances these
358 entries are made manually, the HowTo discusses ways of creating them
360 _________________________________________________________________
362 "The machine account for this computer either does not exist or is not
365 When I try to join the domain I get the message "The machine account
366 for this computer either does not exist or is not accessable". Whats
369 This problem is caused by the PDC not having a suitable machine
370 account. If you are using the add user script = method to create
371 accounts then this would indicate that it has not worked. Ensure the
372 domain admin user system is working.
374 Alternatively if you are creating account entries manually then they
375 have not been created correctly. Make sure that you have the entry
376 correct for the machine account in smbpasswd file on the Samba PDC. If
377 you added the account using an editor rather than using the smbpasswd
378 utility, make sure that the account name is the machine netbios name
379 with a '$' appended to it ( ie. computer_name$ ). There must be an
380 entry in both /etc/passwd and the smbpasswd file. Some people have
381 reported that inconsistent subnet masks between the Samba server and
382 the NT client have caused this problem. Make sure that these are
383 consistent for both client and server.
384 _________________________________________________________________
386 How do I create machine accounts manually ?
388 This was the only option until recently, now in version 2.2 better
389 means are available. You might still need to do it manually for a
390 couple of reasons. A machine account consists of two entries (assuming
391 a standard install and /etc/passwd use), one in /etc/passwd and the
392 other in /usr/local/samba/private/smbpasswd. The /etc/passwd entry
393 will list the machine name with a $ appended, won't have a passwd,
394 will have a null shell and no home directory. For example a machine
395 called 'doppy' would have an /etc/passwd entry like this :
397 doppy$:x:505:501:NTMachine:/dev/null:/bin/false
399 On a linux system for example, you would typically add it like this :
401 adduser -g machines -c NTMachine -d /dev/null -s /bin/false -n doppy$
403 Then you need to add that entry to smbpasswd, assuming you have a
404 suitable path to the smbpasswd programme, do this :
406 smbpasswd -a -m doppy$
408 The entry will be created with a well known password, so any machine
409 that says its doppy could join the domain as long as it gets in first.
410 So don't create the accounts any earlier than you need them.
411 _________________________________________________________________
413 I cannot include a '$' in a machine name.
415 A 'machine name' in (typically) /etc/passwd consists of the machine
416 name with a '$' appended. FreeBSD (and other BSD systems ?) won't
417 create a user with a '$' in their name.
419 The problem is only in the program used to make the entry, once made,
420 it works perfectly. So create a user without the '$' and use vipw to
421 edit the entry, adding the '$'. Or create the whole entry with vipw if
422 you like, make sure you use a unique uid !
423 _________________________________________________________________
425 I get told "You already have a connection to the Domain...." when creating a
428 This happens if you try to create a machine account from the machine
429 itself and use a user name that does not work (for whatever reason)
430 and then try another (possibly valid) user name. Exit out of the
431 network applet to close the initial connection and try again.
433 Further, if the machine is a already a 'member of a workgroup' that is
434 the same name as the domain you are joining (bad idea) you will get
435 this message. Change the workgroup name to something else, it does not
436 matter what, reboot, and try again.
437 _________________________________________________________________
439 I get told "Cannot join domain, the credentials supplied conflict with an
442 This is the same basic problem as mentioned above, "You already have a
444 _________________________________________________________________
446 "The system can not log you on (C000019B)...."
448 I joined the domain successfully but after upgrading to a newer
449 version of the Samba code I get the message, "The system can not log
450 you on (C000019B), Please try a gain or consult your system
451 administrator" when attempting to logon.
453 This occurs when the domain SID stored in private/WORKGROUP.SID is
454 changed. For example, you remove the file and smbd automatically
455 creates a new one. Or you are swapping back and forth between versions
456 2.0.7, TNG and the HEAD branch code (not recommended). The only way to
457 correct the problem is to restore the original domain SID or remove
458 the domain client from the domain and rejoin.
459 _________________________________________________________________
461 Chapter 4. User Account Management
465 How do I configure an account as a domain administrator?
468 _________________________________________________________________
472 Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?
474 Sometimes Windows clients will maintain a connection to the \\homes\ (
475 or [%U] ) share even after the user has logged out. Consider the
478 * user1 logs into the Windows NT machine. Therefore the [homes]
479 share is set to \\server\user1.
480 * user1 works for a while and then logs out.
481 * user2 logs into the same Windows NT machine.
483 However, since the NT box has maintained a connection to [homes] which
484 was previously set to \\server\user1, when the operating system
485 attempts to get the profile and if it can read users1's profile, will
486 get it otherwise it will return an error. You get the picture.
488 A better solution is to use a separate [profiles] share and set the
489 "logon path = \\%N\profiles\%U"
491 Note: Is this still a problem ????
492 _________________________________________________________________
494 Why are all the users listed in the "domain admin users" using the same
497 You are using a very very old development version of Samba. Upgrade.
498 _________________________________________________________________
500 The roaming profiles do not seem to be updating on the server.
502 There can be several reasons for this.
504 Make sure that the time on the client and the PDC are synchronized.
505 You can accomplish this by executing a net time \\server /set /yes
506 replacing server with the name of your PDC (or another synchronized
507 SMB server). See about Setting Time
509 Make sure that the logon path is writeable by the user and make sure
510 that the connection to the logon path location is by the current user.
511 Sometimes Windows client do not drop the connection immediately upon
514 Some people have reported that the logon path location should also be
515 browseable. I (GC) have yet to emperically verify this, but you can
517 _________________________________________________________________
519 Is it possible to store the users profile on workstation and not on server?
521 Hergen Lange suggested that for 2.0.7 you can set logon drive = , ie
522 to blank. Can someone confirm this works in 2.2 ? Other wise, use the
523 registery settings (perhaps via policies) to not save profiles on the
525 _________________________________________________________________
529 What are 'Policies' ?.
531 When a user logs onto the domain via a client machine, the PDC sends
532 the client machine a list of things contained in the 'policy' (if it
533 exists). This list may do things like suppress a splach screen, format
534 the dates the way you like them or perhaps remove locally stored
537 On a samba PDC this list is obtained from a file called ntconfig.pol
538 and located in the [netlogon]share. The file is created with a policy
539 editor and must be readable by anyone and writeable by only root. See
540 below for how to get a suitable editor.
541 _________________________________________________________________
543 I can't get system policies to work.
545 There are two possible reasons for system policies not functioning
546 correctly. Make sure that you have the following parameters set in
556 A policy file must be in the [netlogon] share and must be readable by
557 everyone and writeable by only root. The file must be created by an
558 NTServer Policy Editor.
560 Last time I (drb) looked in the source, it was looking for
561 ntconfig.pol first then several other combinations of upper and lower
562 case. People have reported success using NTconfig.pol, NTconfig.POL
563 and ntconfig.pol. These are the case settings that I (GC) use with the
564 filename ntconfig.pol
569 _________________________________________________________________
571 What about Windows NT Policy Editor ?
573 To create or edit ntconfig.pol you must use the NT Server Policy
574 Editor, poledit.exe which is included with NT Server but not NT
575 Workstation. There is a Policy Editor on a NTws but it is not suitable
576 for creating Domain Policies. Further, although the Windows 95 Policy
577 Editor can be installed on an NT Workstation/Server, it will not work
578 with NT policies because the registry key that are set by the policy
579 templates. However, the files from the NT Server will run happily
580 enough on an NTws. You need poledit.exe, common.adm and winnt.adm. It
581 is convenient to put the two *.adm files in c:\winnt\inf which is
582 where the binary will look for them unless told otherwise. Note also
583 that that directory is 'hidden'.
585 The Windows NT policy editor is also included with the Service Pack 3
586 (and later) for Windows NT 4.0. Extract the files using
587 servicepackname /x, ie thats Nt4sp6ai.exe /x for service pack 6a. The
588 policy editor, poledt.exe and the associated template files (*.adm)
589 should be extracted as well. It is also possible to downloaded the
590 policy template files for Office97 and get a copy of the policy
591 editor. Another possible location is with the Zero Administration Kit
592 available for download from Microsoft.
593 _________________________________________________________________
595 Can Win95 do Policies ?
597 Install the group policy handler for Win9x to pick up group policies.
598 Look on the Win98 CD in \tools\reskit\netadmin\poledit. Install group
599 policies on a Win9x client by double-clicking grouppol.inf. Log off
600 and on again a couple of times and see if Win98 picks up group
601 policies. Unfortunately this needs to be done on every Win9x machine
602 that uses group policies....
604 If group policies don't work one reports suggests getting the updated
605 (read: working) grouppol.dll for Windows 9x. The group list is grabbed
607 _________________________________________________________________
611 What is password sync and should I use it ?
613 NTws users can change their domain password by pressing Ctrl-Alt-Del
614 and choosing 'Change Password'. By default however, this does not
615 change the unix password (typically in /etc/passwd or /etc/shadow). In
616 lots of situations thats OK, for example :
618 * The server is only accessible to the user via samba.
619 * Pam_smb or similar is installed so other applications still refer
620 to the samba password.
622 But sometimes you really do need to maintain two seperate password
623 databases and there are good reasons to keep then in sync. Trying to
624 explain to users that they need to change their passwords in two
625 seperate places or use two seperate passwords is not fun.
627 However do understand that setting up password sync is not without
628 problems either. The chief difficulty is the interface between Samba
629 and the passwd command, it can be a fiddle to set up and if the
630 password the user has entered fails, the resulting errors are
631 ambiguously reported and the user is confused. Further, you need to
632 take steps to ensure that users only ever change their passwords via
633 samba (or use smbpasswd), otherwise they will only be changing the
635 _________________________________________________________________
637 How do I get remote password (unix and SMB) changing working ?
639 Have a practice changing a user's password (as root) to see what
640 discussion takes place and change the text in the 'passwd chat' line
641 below as necessary. The line as shown works for recent RH Linux but
642 most other systems seem to like to do something different. The '*' is
643 a wild card and will match anything (or nothing).
645 Add these lines to smb.conf under [Global]
648 unix password sync = true
649 passwd program = /usr/bin/passwd %u
650 passwd chat = *password* %n\n *password* %n\n *successful*
652 As mentioned above, the change to the unix password happens as root,
653 not as the user, as is indicated in ~/smbd/chgpasswd.c If you are
654 using NIS, the Samba server must be running on the NIS master machine.
655 _________________________________________________________________
657 Chapter 5. Miscellaneous
659 How do I send a message to a PC running windows from a samba server ?
661 echo "message" | smbclient -M PC_NETBIOS_NAME_HERE -U "from" -I "to"
662 The limit on message length is 1600 characters. -U and -I are optional
663 and purely cosmetic.[Time Cole]
665 Although this will always work with NTs and W2K, W95/98 require
666 Winpopup (or something similar) to be running.
667 _________________________________________________________________
669 What editor can I use in DOS/Windows that won't mess with my unix EOF
671 There are a number of Windows or DOS based editors that will
672 understand, and leave intact, the unix eof (as opposed to a DOS
673 CL/LF). List members suggested :
675 * UltraEdit at www.ultraedit.com
676 * VI for windows at home.snafu.de/ramo/WinViEn.htm
677 * The author prefers PFE at www.lancs.ac.uk/people/cpaap/pfe/ but
678 its no longer being developed...
679 _________________________________________________________________
681 How do I get 'User Manager' and 'Server Manager'
683 Since I don't need to buy an NT Server CD now, how do I get the 'User
684 Manager for Domains', the 'Server Manager' ?
686 Microsoft distributes a version of these tools called nexus for
687 installation on Windows 95 systems. The tools set includes
689 * User Manager for Domains
692 Click here to download the archived file
693 ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE
695 The Windows NT 4.0 version of the 'User Manager for Domains' and
696 'Server Manager' are available from Microsoft via ftp from
697 ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE
698 _________________________________________________________________
700 Can I make my samba server a Time server too ?
702 Yep, add a line to smb.conf time server = True under the Global
703 section. Then Windows machines can use it to set the time with a
704 command like net time \\server_name /set /yes. NTs and W2K machines
705 will have to have been told to allow ordinary users to change the
706 system time/date. See next item.
707 _________________________________________________________________
709 The time setting from a Samba server does not work.
711 If it works OK when you log on as Domain Admin then the problem is
712 that ordinary users don't have permission to change the time. (The
713 system is running with their permission at logon time.) This is not a
714 Samba problem, you will have the same problem where ever you connect.
715 You can give 'everyone' permission to change the time from the User
718 Anyone know what the registry settings are so this could be done with
720 _________________________________________________________________
722 "trust account xxx should be in DOMAIN_GROUP_RID_USERS"
724 I keep getting the message "trust account xxx should be in
725 DOMAIN_GROUP_RID_USERS." in the logs. What do I need to do?
727 You are using one of the old development versions. Upgrade. (The
728 message is unimportant, was a reminder to a developer)
729 _________________________________________________________________
731 How do I get my samba server to become a member ( not PDC ) of an NT domain?
733 In a domain that has a number of servers you only need one password
734 database. The machines that don't have their own ask the PDC to check
735 for them. This will work fine for a domain controlled by either a
736 Samba or NT machine. The following lines in smb.conf are typical,
737 'password server' points to the samba machine (or an NT) that has the
744 workgroup = { Put your domain name here }
745 password server = { Put the ip of the PDC here }
746 encrypt passwords = yes
749 The samba server in question will have to 'join the domain', that
750 requires the domain controller to have a machine account for it. This
751 is no different to the machine account requirements to allow a NTws to
752 join the domain. For example, if we want a unix box called sleepy to
753 ask the PDC called grumpy to do its authentication then grumpy will
754 need an entry in its smbpasswd (assuming it's also samba) that starts
755 with sleepy$. It would have to be created manually.
757 If the domain is controlled by an NTServer then the "Server Manager
758 for Domains" tool must be used to add 'sleepy' to the domain list.
760 In either case we then join the domain. If the domain is called forest
761 then on sleepy we would join the domain by typing :
765 Note that the directory where the smbpasswd file would be located
766 should exist as this is where smbd will generate the MACHINE.SID file.
767 This might be /usr/local/samba/private/FOREST.SLEEPY.SID and it
768 contains the trust account password for the domain member. The
769 permissions are (and should remain) "rw-------
771 Note the Samba Servers without the password list will most likely
772 still need an account for each user, this means a line in its
773 /etc/passwd. Because authentication is being handled at the domain
774 level the /etc/passwd line does not need a password. If the shares
775 being offered are not user specific, ie a common (read only ?) area or
776 perhaps just printing then the user's /etc/passwd does not need a home
777 directory. A typical line in /etc/passwd for a server that allows
778 domain users to connect to the samba shares but does not offer a home
779 share ('cos that's on the PDC) and does not allow logon to the unix
780 prompt would be like this :
781 jblow:x:542:100:Joe Blow:/dev/null:/bin/false
783 * When removing those 'dummy' users, watch the 'remove user'
784 scripts, some OS think they should remove a users directory even
785 when its not owned by the user !
786 * The username map = parameter might help you to avoid having all
787 those accounts created.
788 * You should investigate the smb.conf parameter 'add user script',
789 it will be used to create accounts on secondary servers when that
790 account already exists on the PDC. Very nice. Something like :
793 add user script = /usr/sbin/adduser -n -g users -c User -d /dev/null -s /bi
796 _________________________________________________________________
798 Chapter 6. Troubleshooting and Bug Reporting
802 What are some diagnostics tools I can use to debug the domain logon process
803 and where can I find them?
805 One of the best diagnostic tools for debugging problems is Samba
806 itself. You can use the -d option for both smbd and nmbd to specifiy
807 what 'debug level' at which to run. See the man pages on smbd, nmbd
808 and smb.conf for more information on debugging options. The debug
809 level can range from 1 (the default) to around 100 but a debug level
810 of about 20 will normally help you find any errors that samba is
811 encountering. Another helpful method of debugging is to compile samba
812 using the gcc -g flag. This will include debug information in the
813 binaries and allow you to attch gdb to the running smbd / nmbd
814 process. In order to attach gdb to an smbd process for an NT
815 workstation, first get the workstation to make the connection.
816 Pressing ctrl-alt-delete and going down to the domain box is
817 sufficient (at least, on the first time you join the domain) to
818 generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation
819 maintains an open connection, and therefore there will be an smbd
820 process running (assuming that you haven't set a really short smbd
821 idle timeout) So, in between pressing ctrl alt delete, and actually
822 typing in your password, you can gdb attach and continue.
824 Some usefull samba commands worth investigating:
826 * smbclient -L //{netbios name of server}
828 An SMB enabled version of tcpdump is available from
829 ftp://samba.org/pub/samba/tcpdump-smb/
831 Capconvert is a small C program for translating output from
832 tcpdump-smb to CAP format that can be read by netmon. You will need to
833 use the raw output from tcp dump ( ie. tcpdump -w output.dump ). Good
834 news! Now you can convert Solaris' snoop output as well. The C source
835 code for snoop2cap is available for download.
837 For tracing things on the Microsoft Windows NT, Network Monitor (aka.
838 netmon) is available on the Microsoft Developer Network CD's, the
839 Windows NT Server install CD and the SMS CD's. The version of netmon
840 that ships with SMS allows for dumping packets between any two
841 computers (ie. placing the network interface in promiscuous mode). The
842 version on the NT Server install CD will only allow monitoring of
843 network traffic directed to the local NT box and broadcasts on the
845 _________________________________________________________________
847 How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?
849 Installing netmon on an NT workstation requires a couple of steps. The
850 following are for installing Netmon V4.00.349, which comes with
851 Microsoft Windows NT Server 4.0, on Microsoft Windows NT Workstation
852 4.0. The process should be similar for other version of Windows NT /
853 Netmon. You will need both the Microsoft Windows NT Server 4.0 Install
854 CD and the Workstation 4.0 Install CD.
856 Initially you will need to install 'Network Monitor Tools and Agent'
857 on the NT Server. To do this
859 * Goto Start - Settings - Control Panel - Network - Services - Add
860 * Select the 'Network Monitor Tools and Agent' and click on 'OK'.
861 * Click 'OK' on the Network Control Panel.
862 * Insert the Windows NT Server 4.0 install CD when prompted.
864 At this point the Netmon files should exist in
865 %SYSTEMROOT%\System32\netmon\*.*. Two subdirectories exist as well,
866 parsers\ which contains the necessary DLL's for parsing the netmon
867 packet dump, and captures\.
869 In order to install the Netmon tools on an NT Workstation, you will
870 first need to install the 'Network Monitor Agent' from the Workstation
873 * Goto Start - Settings - Control Panel - Network - Services - Add
874 * Select the 'Network Monitor Agent' and click on 'OK'.
875 * Click 'OK' on the Network Control Panel.
876 * Insert the Windows NT Workstation 4.0 install CD when prompted.
878 Now copy the files from the NT Server in
879 %SYSTEMROOT%\System32\netmon\*.* to %SYSTEMROOT%\System32\netmon\*.*
880 on the Workstation and set permissions as you deem appropriate for
881 your site. You will need administrative rights on the NT box to run
884 To install Netmon on a Windows 9x box install the network monitor
885 agent from the Windows 9x CD (\admin\nettools\netmon). There is a
886 readme file located with the netmon driver files on the CD if you need
887 information on how to do this. Copy the files from a working Netmon
889 _________________________________________________________________
891 What other help can I get ?
893 There are many sources of information available in the form of mailing
894 lists, RFC's and documentation. The docs that come with the samba
895 distribution contain very good explanations of general SMB topics such
897 _________________________________________________________________
901 * Home of Samba site http://samba.org. We have a mirror near you !
902 * The Development document on the Samba mirrors might mention your
903 problem. If so, it might mean that the developers are working on
905 * Ignacio Coupeau has a very comprehesive look at LDAP with Samba at
906 http://www.unav.es/cti/ldap-smb-howto.html Be a little carefull
907 however, I suspect that it does not specificly address samba
908 2.2.x. The HEAD pre-2.1 may possibly be the best stream to look
910 * Lars Kneschke's site covers Samba-TNG at
911 http://www.kneschke.de/projekte/samba_tng, but again, a lot of it
912 does not apply to the main stream Samba.
913 * See how Scott Merrill simulates a BDC behaviour at
914 http://www.skippy.net/linux/smb-howto.html.
915 * Although 2.0.7 has almost had its day as a PDC, I (drb) will keep
916 the 2.0.7 PDC pages at http://bioserve.latrobe.edu.au/samba going
918 * Misc links to CIFS information http://samba.org/cifs/
919 * NT Domains for Unix http://mailhost.cb1.com/~lkcl/ntdom/
920 * FTP site for older SMB specs:
921 ftp://ftp.microsoft.com/developr/drg/CIFS/
923 There are a number of documents that no longer appear to live at their
924 origional home. Any one know where the following may be found ?
925 * CIFS/E Browser Protocol draft-leach-cifs-browser-spec-00.txt
926 * CIFS Remote Administration Protocol
927 draft-leach-cifs-rap-spec-00.txt
928 * CIFS Logon and Pass Through Authentication
929 draft-leach-cifs-logon-spec-00.txt
930 * A Common Internet File System (CIFS/1.0) Protocol
931 draft-leach-cifs-v1-spec-01.txt
932 * CIFS Printing Specification draft-leach-cifs-print-spec-00.txt
933 * RFC1001 (March '87) Protocol standard for a NetBIOS service on a
934 TCP/UDP transport: Concepts and methods.
935 http://ds.internic.net/rfc/rfc1001.txt
936 * RFC1002 (March '87) Protocol standard for a NetBIOS service on a
937 TCP/UDP transport: Detailed specifications.
938 http://ds.internic.net/rfc/rfc1002.txt
939 * Microsoft's main CIFS page:
940 http://www.microsoft.com/workshop/networking/cifs/
941 _________________________________________________________________
943 How do I get help from the mailing lists ?
945 There are a number of Samba related mailing lists. Go to
946 http://samba.org, click on your nearest mirror and then click on
947 Support and then click on Samba related mailing lists.
949 For questions relating to Samba TNG go to http://www.samba-tng.org/ It
950 has been requested that you don't post questions about Samba-TNG to
951 the main stream Samba lists.
953 If you post a message to one of the lists please observe the following
955 * Always remember that the developers are volunteers, they are not
956 paid and they never guarantee to produce a particular feature at a
957 particular time. Any time lines are 'best guess' and nothing more.
958 * Always mention what version of samba you are using and what
959 operating system its running under. You should probably list the
960 relevant sections of your smb.conf file, at least the options in
961 [global] that affect PDC support.
962 * In addition to the version, if you obtained Samba via CVS mention
963 the date when you last checked it out.
964 * Try and make your question clear and brief, lots of long,
965 convoluted questions get deleted before they are completely read !
966 Don't post html encoded messages (if you can select colour or font
968 * If you run one of those niffy 'I'm on holidays' things when you
969 are away, make sure its configured to not answer mailing lists.
970 * Don't cross post. Work out which is the best list to post to and
971 see what happens, ie don't post to both samba-ntdom and
972 samba-technical. Many people active on the lists subscribe to more
973 than one list and get annoyed to see the same message two or more
974 times. Often someone will see a message and thinking it would be
975 better dealt with on another, will forward it on for you.
976 * You might include partial log files written at a debug level set
977 to as much as 20. Please don't send the entire log but enough to
978 give the context of the error messages.
979 * (Possibly) If you have a complete netmon trace ( from the opening
980 of the pipe to the error ) you can send the *.CAP file as well.
981 * Please think carefully before attaching a document to an email.
982 Consider pasting the relevant parts into the body of the message.
983 The samba mailing lists go to a huge number of people, do they all
984 need a copy of your smb.conf in their attach directory ?
985 _________________________________________________________________
987 How do I get off the mailing lists ?
989 To have your name removed from a samba mailing list, go to the same
990 place you went to to get on it. Go to http://samba.org, click on your
991 nearest mirror and then click on Support and then click on Samba
992 related mailing lists. Or perhaps see here
994 Please don't post messages to the list asking to be removed, you will
995 just be refered to the above address (unless that process failed in