large sync up with 2.2

[Samba/gbeck.git] / docs / htmldocs / samba-pdc-howto.html

<HTML
><HEAD
><TITLE
>The Samba 2.2 PDC HowTo </TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
><BODY
CLASS="BOOK"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="BOOK"
><A
NAME="SAMBA-PDC-HOWTO"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="SAMBA-PDC-HOWTO"
>The Samba 2.2 PDC HowTo</A
></H1
><H3
CLASS="AUTHOR"
><A
NAME="AEN4"
>David Bannon</A
></H3
><DIV
CLASS="AFFILIATION"
><SPAN
CLASS="ORGNAME"
>La Trobe University<BR></SPAN
></DIV
><HR></DIV
><HR><H1
><A
NAME="AEN10"
></A
></H1
><P
>Comments, corrections and additions to <TT
CLASS="EMAIL"
>&#60;<A
HREF="mailto:dbannon@samba.org"
>dbannon@samba.org</A
>&#62;</TT
></P
><P
>       This document explains how to setup Samba as a Primary Domain Controller and 
        applies to version 2.2.0. 
        Before
        using these functions make sure you understand what the controller can and cannot do.
        Please read the sections below in the Introduction. 
        As 2.2.0 is incrementally updated
        this document will change or become out of date very quickly, make sure you are
        reading the most current version.
    </P
><P
>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1, 
    Samba 2.0.7, TNG nor HEAD branch.</P
><P
>It does apply to the current (post November 27th) cvs.</P
><P
>       Also available is an updated version of Jerry Carter's NTDom <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>    FAQ</A
> that will answer lots of 
        the special 'tuning' questions that are not covered here. Over the next couple of weeks
        some of the items here will be moved to the FAQ.
    </P
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="#AEN20"
>Introduction</A
></DT
><DD
><DL
><DT
><A
HREF="#AEN28"
>What can we do ?</A
></DT
><DT
><A
HREF="#AEN44"
>What can't we do ?</A
></DT
></DL
></DD
><DT
>2. <A
HREF="#AEN55"
>Installing</A
></DT
><DD
><DL
><DT
><A
HREF="#AEN59"
>Start Up Script</A
></DT
><DT
><A
HREF="#AEN66"
>Config File</A
></DT
><DD
><DL
><DT
><A
HREF="#AEN68"
>A sample conf file</A
></DT
><DT
><A
HREF="#AEN79"
>PDC Config Parameters</A
></DT
></DL
></DD
><DT
><A
HREF="#AEN115"
>Special directories</A
></DT
></DL
></DD
><DT
>3. <A
HREF="#AEN126"
>User and Machine Accounts</A
></DT
><DD
><DL
><DT
><A
HREF="#AEN128"
>Logon Accounts</A
></DT
><DT
><A
HREF="#MACHINEACCOUNT"
>Machine Accounts</A
></DT
><DT
><A
HREF="#AEN163"
>Joining the Domain</A
></DT
><DT
><A
HREF="#AEN211"
>User Accounts</A
></DT
><DT
><A
HREF="#AEN223"
>Domain Admin Accounts</A
></DT
></DL
></DD
><DT
>4. <A
HREF="#AEN231"
>Profiles, Policies and Logon Scripts</A
></DT
><DD
><DL
><DT
><A
HREF="#AEN233"
>Profiles</A
></DT
><DT
><A
HREF="#AEN240"
>Policies</A
></DT
><DT
><A
HREF="#AEN251"
>Logon Scripts</A
></DT
></DL
></DD
><DT
>5. <A
HREF="#AEN272"
>Passwords and Authentication</A
></DT
><DD
><DL
><DT
><A
HREF="#AEN278"
></A
></DT
><DD
><DL
><DT
><A
HREF="#AEN280"
>Syncing Passwords</A
></DT
><DT
><A
HREF="#AEN286"
>Using PAM</A
></DT
><DT
><A
HREF="#AEN292"
>Authenticating other Samba Servers</A
></DT
></DL
></DD
></DL
></DD
><DT
>6. <A
HREF="#AEN298"
>Background</A
></DT
><DD
><DL
><DT
><A
HREF="#AEN300"
></A
></DT
><DD
><DL
><DT
><A
HREF="#AEN302"
>History</A
></DT
><DT
><A
HREF="#AEN310"
>The Future</A
></DT
><DT
><A
HREF="#AEN322"
>Getting further help</A
></DT
></DL
></DD
></DL
></DD
></DL
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN20"
>Chapter 1. Introduction</A
></H1
><P
>This document will show you one way of making Version 2.2.0  
of Samba perform some of the tasks of a 
NT Primary Domain Controller. The facilities described are built into Samba as a result of 
development work done over a number of years by a large number of people. These facilities 
are only just beginning to be officially supported and although they do appear to work reliably, 
if you use them then you take the risks upon your self.  This document does not cover the
developmental versions of Samba, particularly 
<A
HREF="http://www.samba-tng.org/"
TARGET="_top"
><I
CLASS="CITETITLE"
>Samba-TNG</I
></A
>
&#13;</P
><P
>Note that <A
HREF="http://bioserve.latrobe.edu.au/samba"
TARGET="_top"
>Samba 2.0.7</A
>
    supports significently less of the NT Domain facilities compared with 2.2.0
    </P
><P
>       This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by
        John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide
        more detail and an insight to the development
        cycle and should be considered 'further reading'.&#13;</P
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN28"
>What can we do ?</A
></H1
><P
></P
><UL
><LI
><P
>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central 
        password database. WRT W2K, please see the section about adding machine 
        accounts and the Intro in the <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
>.</P
></LI
><LI
><P
>Grant Administrator privileges to particular domain users on an 
        NT or W2K workstation.</P
></LI
><LI
><P
>Apply policies from a domain policy file to NT and W2K (?) 
        workstation.</P
></LI
><LI
><P
>Run the appropriate logon script when a user logs on to the domain
        .</P
></LI
><LI
><P
>Maintain a user's local profile on the server.</P
></LI
><LI
><P
>Validate a user using another system via smb (such as smb_pam) and 
        soon winbind (?).</P
></LI
></UL
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN44"
>What can't we do ?</A
></H1
><P
></P
><UL
><LI
><P
> Become or work with a Backup Domain Controller (a BDC).</P
></LI
><LI
><P
> Participate in any sort of trust relationship (with either Samba or NT 
        Servers).</P
></LI
><LI
><P
> Offer a list of domain users to User Manager for Domains 
        on the Security Tab etc).</P
></LI
><LI
><P
>Be a W2K type of Domain Controller. Samba PDC will behave like
        an NT PDC, W2K workstations connect in legacy mode.</P
></LI
></UL
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN55"
>Chapter 2. Installing</A
></H1
><P
>Installing consists of the usual download, configure, make and make 
        install process. These steps are well documented elsewhere.
        The <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
> discusses getting pre-release versions via CVS. 
        Then you need to configure the server.</P
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN59"
>Start Up Script</A
></H1
><P
>Skip this section if you have a working Samba already. 
        Everyone has their own favourite startup script. Here is mine, offered with no warrantee
        at all !</P
><PRE
CLASS="PROGRAMLISTING"
> 

        #!/bin/sh
        # Script to control Samba server, David Bannon, 14-6-96
        #
        #
        PATH=/bin:/usr/sbin:/usr/bin
        export PATH
        case "$1" in
        'start')
                if [ -f /usr/local/samba/bin/smbd ]
                then
                        /usr/local/samba/bin/smbd -D
                        /usr/local/samba/bin/nmbd -D
                        echo "Starting Samba Server"
                fi
                ;;
        'conf')
                if [ -f /usr/local/samba/lib/smb.conf ]
                then
                        vi /usr/local/samba/lib/smb.conf
                fi
                ;;
        'pw')
                if [ -f /usr/local/samba/private/smbpasswd ]
                then
                        vi /usr/local/samba/private/smbpasswd
                fi
                ;;
        'who')
                /usr/local/samba/bin/smbstatus -b
                ;;
        'restart')
                psline=`/bin/ps  x | grep smbd | grep -v grep`

                if [ "$psline" != "" ]
                then
                        while [ "$psline" != "" ]
                        do
                                psline=`/bin/ps x | fgrep smbd | grep -v grep`
                                if [ "$psline" ]
                                then
                                        set -- $psline
                                        pid=$1
                                        /bin/kill -HUP $pid
                                        echo "Stopped $pid line = $psline"
                                        sleep 2
                                fi
                        done
                fi
                echo "Stopped Samba servers"
                ;;
        'stop')
                psline=`/bin/ps  x | grep smbd | grep -v grep`

                if [ "$psline" != "" ]
                then
                        while [ "$psline" != "" ]
                        do
                                psline=`/bin/ps x | fgrep smbd | grep -v grep`
                                if [ "$psline" ]
                                then
                                        set -- $psline
                                        pid=$1
                                        /bin/kill -9 $pid
                                        echo "Stopped $pid line = $psline"
                                        sleep 2
                                fi
                        done
                fi
                echo "Stopped Samba servers"
                psline=`/bin/ps x | grep nmbd | grep -v grep`
                if [ "$psline" ]
                then
                        set -- $psline
                        pid=$1
                        /bin/kill -9 $pid
                        echo "Stopped Name Server "
                fi
                echo "Stopped Name Servers"
                ;;
        *)
                echo "usage: samba {start | restart |stop | conf | pw | who}"
                ;;
        esac
    </PRE
><P
>       Use this script, or some other one, you will need to ensure its used while the machine
        is booting. (This typically involves <TT
CLASS="FILENAME"
>/etc/rc.d</TT
>, we'll be 
        assuming that there is a script called
        samba in <TT
CLASS="FILENAME"
>/etc/rc.d/init.d</TT
> further down in this document.)</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN66"
>Config File</A
></H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN68"
>A sample conf file</A
></H2
><P
>Here is a fairly minimal config file to do PDC. It will also make the server 
        become the browse master for the
        specified domain (not necessary but usually desirable). You will need to change only 
        two parameters to make this
        file work, <TT
CLASS="FILENAME"
>wins server</TT
> and <TT
CLASS="FILENAME"
>workgroup</TT
>, plus
    you will need to put your own name (not mine!) in the <TT
CLASS="FILENAME"
>domain admin users</TT
> fields. 
        Some of the parameters are discussed further down this document.</P
><P
>Assuming you have used the default install directories, this file should appear as 
        <TT
CLASS="FILENAME"
>/usr/local/samba/lib/smb.conf</TT
>. It should not be 
        writable by anyone except root.</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>The 'add user script' parameter is a work-around, watch for changes !</P
></BLOCKQUOTE
></DIV
><PRE
CLASS="PROGRAMLISTING"
> 

        [global]  
        security = user 
        status = yes 
        workgroup = { Your domain name here }
        wins server = { ip of a wins server if you have one } 
        encrypt passwords = yes 
        domain logons =yes 
        logon script = scripts\%U.bat 
        domain admin group = @adm 
        add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$    
        guest account = ftp 
        share modes=no 
        os level=65 
        [homes] 
        guest ok = no 
        read only = no 
        create mask = 0700 
        directory mask = 0700 
        oplocks = false 
        locking = no 
        [netlogon] 
        path = /usr/local/samba/netlogon 
        writeable = no 
        guest ok = no 
   </PRE
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN79"
>PDC Config Parameters</A
></H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
>There are a huge range of parameters that may appear in a smb.conf file. Some 
        that may be of interest to a PDC are :</B
></P
><DL
><DT
>add user script</DT
><DD
><P
>This parameter specifies a script (or program) that will be run
        to add a user to the system. Here it is being used to add a machine, not a user.
        This is probably not very nice and may change. But it does work !</P
><P
>For this example, I have a group called 'machines', entries can be added to
    <TT
CLASS="FILENAME"
>/etc/passwd</TT
> using a programme called <TT
CLASS="FILENAME"
>/usr/adduser</TT
> and 
    the other parameters are chosen as suitable for a machine account. Works for
    RH Linux, your system may require changes.</P
></DD
><DT
>domain admin group = @adm</DT
><DD
><P
>This parameter specifies a unix group whose members will be granted 
    admin privileges on a NT workstation when
        logged onto that workstation. See the section called <A
HREF="#AEN223"
>    Domain Admin</A
> Accounts.</P
></DD
><DT
>domain admin users = user1 users2</DT
><DD
><P
>It appears that this parameter does not funtion correctly at present.
    Use the 'domain admin group' instread. This parameter specifies a unix user who will 
    be granted admin privileges 
        on a NT workstation when
        logged onto that workstation. See the section called <A
HREF="#AEN223"
>    Domain Admin</A
> Accounts.</P
></DD
><DT
>encrypt passwords = yes</DT
><DD
><P
>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that
        turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you
        should) you must use encrypted passwords.</P
></DD
><DT
>logon script = scripts\%U.bat</DT
><DD
><P
>This will make samba look for a logon script named after the user 
        (eg joeblow.bat). 
         See the section further on called <A
HREF="#AEN251"
>Logon Scripts</A
></P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>Note that the slash is like this '\', not like this '/'. 
        NT is happy with both, win95 is not !</P
></BLOCKQUOTE
></DIV
></DD
><DT
>logon path</DT
><DD
><P
>Lets you specify where you would like users profiles kept. The default, that is in the users
        home directory, does encourage a bit of fiddling.</P
></DD
></DL
></DIV
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN115"
>Special directories</A
></H1
><P
>You need to create a couple of special files and directories. Its nice 
        to have some of the binaries handy too, so I create links to them. Assuming 
        you have used the default samba location and have not
        changed the locations mentioned in the sample config file, do the following :</P
><PRE
CLASS="PROGRAMLISTING"
> 

        mkdir /usr/local/samba/netlogon 
        mkdir /usr/local/samba/netlogon/scripts
        mkdir /usr/local/samba/private
        touch /usr/local/samba/private/smbpasswd
        chmod go-rwx /usr/local/samba/private/smbpasswd
        cd /usr/local/sbin
        ln -s /usr/local/samba/bin/smbpasswd
        ln -s /usr/local/samba/bin/smbclient
        ln -s /etc/rc.d/init.d/samba</PRE
><P
>Make sure permissions are appropriate !</P
><P
>OK, if you have used the scripts above and have a path to where the links are do this to start up 
        the Samba Server :</P
><P
><B
CLASS="COMMAND"
>samba start</B
></P
><P
>Instead, you might like to reboot the machine to make sure that you 
        got the init stuff right. Any way, a quick look in the logs 
        <TT
CLASS="FILENAME"
>/usr/local/samba/var/log.smbd</TT
> and <TT
CLASS="FILENAME"
>       /usr/local/samba/var/log/nmbd</TT
>
        will give you an idea of what's happening. Assuming all is well, lets create 
        some accounts...</P
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN126"
>Chapter 3. User and Machine Accounts</A
></H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN128"
>Logon Accounts</A
></H1
><P
><I
CLASS="EMPHASIS"
>This section is very nearly out of date already !</I
>  It 
        appears that while you are reading it, Jean Francois Micou is making it 
        redundant ! Jean Francois is adding facilities to add users
        (via User Manager) and machines (when joining the domain) and it looks like these facilities will
        make it into the official release of 2.2.</P
><P
>Every user and NTws (and other samba servers) that will be on the domain 
        must have its own passwd entry in both <TT
CLASS="FILENAME"
>/etc/passwd</TT
> and 
        <TT
CLASS="FILENAME"
>/usr/local/samba/private/smbpasswd</TT
> . 
        The <TT
CLASS="FILENAME"
>/etc/passwd</TT
> entry is really 
        only to reserve a user ID. The NT encrypted password is stored in 
        <TT
CLASS="FILENAME"
>/usr/local/samba/private/smbpasswd</TT
>. 
        (Note that win95/98 machines don't need an account as they don't do 
        any security aware things.)</P
><P
>Samba 2.2 will now create these entries for us. Carefull set up is required
        and there may well be some changes to this system before its released. 
        </P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="MACHINEACCOUNT"
>Machine Accounts</A
></H1
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>There is an entry in the ntdom <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
> explaining how to create
        machine entries manually.</P
></BLOCKQUOTE
></DIV
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
><I
CLASS="EMPHASIS"
>At present</I
> to have the machine accounts created when a machine joins 
        the domain a number of conditions must be met :</B
></P
><DL
><DT
>Only root can do it !</DT
><DD
><P
>There must be an entry in <TT
CLASS="FILENAME"
>/usr/local/samba/private/smbpasswd</TT
>
        for root and root must be mentioned in <TT
CLASS="FILENAME"
>domain admins</TT
>. This may
        be fixed some time in the future so any 'domain admin' can do it. If you don't 
        like having root as a windows logon account, make the machine
        entries manually (both of them).</P
></DD
><DT
>Use the <TT
CLASS="FILENAME"
>add user script</TT
></DT
><DD
><P
>Again, this looks a bit like a 'work around'. Use a suitable
        command line to add a machine account <A
HREF="#AEN68"
>see above</A
>,
        and pass it %m$, that is %m to get machine name plus the '$'. Now, this
        means you cannot use the <TT
CLASS="FILENAME"
>add user script</TT
> to really add users .... </P
></DD
><DT
>Only for W2K</DT
><DD
><P
>This automatic creation of machine accounts does not work for
    NT4ws at present. Watch this space.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN163"
>Joining the Domain</A
></H1
><P
>You must have either added the machine account entries manually (NT4 ws)
        or set up the automatic system (W2K), <A
HREF="#MACHINEACCOUNT"
>see Machine Accounts</A
>
        before proceeding.</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
><B
CLASS="COMMAND"
>Windows NT</B
></DT
><DD
><P
></P
><UL
><LI
><P
> (<I
CLASS="EMPHASIS"
>this step may not be necessary some time in the near future</I
>).
        On the samba server that is the PDC, add a machine account manually
        as per the instructions in the <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
> 
        Then give the command <B
CLASS="COMMAND"
>smbpasswd -a -m {machine}</B
> substituting in the 
        client machine name.</P
></LI
><LI
><P
> Logon to the NTws in question as a local admin, go to the 
        <B
CLASS="COMMAND"
>Control Panel, Network IdentificationTag</B
>.</P
></LI
><LI
><P
> Press the <B
CLASS="COMMAND"
>Change</B
> button.</P
></LI
><LI
><P
> Enter the Domain name (from the 'Workgroup' parameter, smb.conf) 
        in the Domain Field.</P
></LI
><LI
><P
> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'. 
        Allow to reboot.</P
></LI
></UL
></DD
><DT
><B
CLASS="COMMAND"
>Windows 2000</B
></DT
><DD
><P
></P
><UL
><LI
><P
>Logon to the W2k machine as Administrator, go to the Control 
        Panel and double click on <B
CLASS="COMMAND"
>Network and Dialup Connections</B
>. 
        </P
></LI
><LI
><P
>Pull down the <B
CLASS="COMMAND"
>Advanced</B
> menu and choose 
        <B
CLASS="COMMAND"
>Network Identification</B
>. Press <B
CLASS="COMMAND"
>Properties
        </B
>. </P
></LI
><LI
><P
>Choose <B
CLASS="COMMAND"
>Domain</B
> and enter the domain name. Press 'OK'.</P
></LI
><LI
><P
>Now enter a user name and password for a Domain Admin 
        <I
CLASS="EMPHASIS"
>(Who must be root until a pre-release bug is fixed)</I
> and press
        'OK'.</P
></LI
><LI
><P
>Wait for the confirmation, reboot when prompted.</P
></LI
></UL
><P
>To remove a W2K machine from the domain, follow the first two steps then 
    choose <B
CLASS="COMMAND"
>Workgroup</B
>, enter a work group name (or just WORKGROUP) and follow 
    the prompts.</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN211"
>User Accounts</A
></H1
><P
><I
CLASS="EMPHASIS"
>Again, doing it manually (cos' the auto way is not working pre-release).
        </I
>
        In our simple case every domain user should have an account on the PDC. The 
        account may have a null shell if they are not allowed to log on to the unix 
        prompt. Again they need an entry in both the <TT
CLASS="FILENAME"
>/etc/passwd</TT
> and
        <TT
CLASS="FILENAME"
>/usr/local/samba/private/smbpasswd</TT
>. Again a password is 
        not necessary in <TT
CLASS="FILENAME"
>/etc/passwd</TT
> but the location 
        of the home directory is honoured. 
        To make an entry for a user called Joe Blow you would typically do the following :</P
><P
><B
CLASS="COMMAND"
>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</B
></P
><P
><B
CLASS="COMMAND"
>smbpasswd -a joeblow</B
></P
><P
>And you will prompted to enter a password for Joe. Ideally he will be 
        hovering over your shoulder and will, when asked, type in a password of 
        his choice. There are a number of scripts and systems to ease the migration of users
        from somewhere to samba. Better start looking !</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN223"
>Domain Admin Accounts</A
></H1
><P
>Certain operations demand that the logged on user has Administrator 
        privileges, typically installing software and
        doing maintenance tasks. It is very simple to appoint some users as Domain Admins, 
        most likely yourself. Make
        sure you trust the appointee !</P
><P
>Samba 2.2 recognizes particular users as being
        domain admins and tells the NTws when it thinks that it has got one logged on. 
        In the smb.conf file we declare
        that the <TT
CLASS="FILENAME"
>Domain Admin group = @adm</TT
>. 
        Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when 
        logged onto the Domain. They will have full Administrator rights 
        including the rights to change permissions on files and run the system 
        utilities such as Disk Administrator. Add users to the group by editing <TT
CLASS="FILENAME"
>    /etc/group/</TT
>. You do not need to use the 'adm' group, choose any one you like.</P
><P
>Further, and this is very new, they will be allowed to create a 
        new machine account when first connecting a new NT or W2K machine to 
        the domain. <I
CLASS="EMPHASIS"
>However, at present, ie pre-release, only a Domain Admin who
        also happens to be root can do so. </I
></P
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN231"
>Chapter 4. Profiles, Policies and Logon Scripts</A
></H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN233"
>Profiles</A
></H1
><P
>NT Profiles should work if you have followed the setup so far. 
        A user's profile contains a whole lot of their personal settings, 
        the contents of their desktop, personal 'My Documents' and so on. 
        When they log off, all of the profile is copied to their directory 
        on the server and is downloaded again when they logon on again, possibly 
        on another client machine.</P
><P
>Sounds great but can be a bit of a bug bear sometimes. Users let 
        their profiles get too big and then complain about how long it takes 
        to log on each time. This sample setup only supports NT profiles, 
        rumor has it that it is also possible to do the same on Win95, my 
        users don't know and I'm not telling them.</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>There is more info about Profiles (including for W95/98) 
        in the <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
>.</P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN240"
>Policies</A
></H1
><P
>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol
        file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws.
        Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or
        maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles
        on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor
        that comes with NTws.</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>See the <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
> for pointers on how to get a suitable Policy Editor.</P
></BLOCKQUOTE
></DIV
><P
>The Policy Editor (and associated files) will create a 
        <TT
CLASS="FILENAME"
>ntconfig.pol</TT
> file using the 
        parameters Microsoft thought of and parameters you specify by making your own 
        template file.</P
><P
>In our example configuration here, Samba will expect to find 
        the <TT
CLASS="FILENAME"
>ntconfig.pol</TT
> file in 
        <TT
CLASS="FILENAME"
>/usr/local/samba/netlogon</TT
>. Needless to say (I hope !), 
        it is vitally important that ordinary users don't have 
        write permission to the Policy files.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN251"
>Logon Scripts</A
></H1
><P
>In the sample config file above there is a line 
        <TT
CLASS="FILENAME"
>logon script = scripts\%U.bat</TT
></P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>Note that the slash is like this '\' not like this '/'. 
        NT is happy with both, win95 is not !</P
></BLOCKQUOTE
></DIV
><P
>This allows you to run a dos batch file every time someone logs on. The batch 
        file is located on the server, in the sample install mentioned here, 
        its in <TT
CLASS="FILENAME"
>/usr/local/samba/netlogon/scripts</TT
> and 
        is named after the user with <TT
CLASS="FILENAME"
>.bat</TT
> appended, eg Joe
        Blow's script is called <TT
CLASS="FILENAME"
>/usr/local/samba/netlogon/scripts/joeblow.bat</TT
>.</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>There is a suggestion that user names longer than 8 characters may cause
        problems with some systems being unable to run logon scripts. This is confirmed in earlier
    versions when connecting using W95, comments about other combinations ??</P
></BLOCKQUOTE
></DIV
><P
>You could use a line like this <TT
CLASS="FILENAME"
>logon script = default.bat</TT
> and samba
    will supply <TT
CLASS="FILENAME"
>/usr/local/samba/netlogon/default.bat</TT
> for any client and every
    user. Maybe you could use %m and get a client machine dependant logon script.
    You get the idea...</P
><P
>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client 
        computer with the logon user's permissions. It must be a dos file with each line ending with 
        the dos cr/lf not a nice clean newline. Generally,
        its best to create the initial file on a DOS system and copy it across.</P
><P
>There is lots of very clever uses of the Samba replaceable variables such 
        ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to 
        give you control over which script runs when a particular person logs
        on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</P
><P
>Again, it is vitally important that ordinary users don't have write 
        permission to other peoples, or even probably their own, logon script files.</P
><P
>A typical logon script is reproduced below. Note that it runs separate 
        commands for win95 and NT, that's because NT has slightly different behaviour 
        when using the <TT
CLASS="FILENAME"
>net use ..</TT
> command. Its useful for lots of 
        other situations too. I don't know what syntax to use for win98, I don't use it 
        here.</P
><PRE
CLASS="PROGRAMLISTING"
> 

                rem Default logon script, create links to this file.

                net time \\bioserve /set /yes
                @echo off
                if %OS%.==Windows_NT. goto WinNT

                :Win95
                net use k: \\trillion\bio_prog
                net use p: \\bcfile\homes
                goto end
                :WinNT
                net use k: \\trillion\bio_prog /persistent:no
                net use p: \\bcfile\homes /persistent:no

                :end
        </PRE
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN272"
>Chapter 5. Passwords and Authentication</A
></H1
><P
>So far our configuration assumes that ordinary users don't have unix logon access. A change
        to the <A
HREF="#AEN211"
><TT
CLASS="FILENAME"
>adduser</TT
></A
> line above would allow unix logon 
        but it would be with passwords that may 
        be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users
        that they need to change their passwords in two seperate places is not fun. 
        Further, even if they cannot do a unix logon there are other processes that 
        might require authentication. We have a nice securely encrypted password in 
        <TT
CLASS="FILENAME"
>/usr/local/samba/private/smbpasswd</TT
>, why not use it ?</P
><DIV
CLASS="SECT1"
><HR><H1
CLASS="SECT1"
><A
NAME="AEN278"
></A
></H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN280"
>Syncing Passwords</A
></H2
><P
>Yes, its possible and seems the easiest  way (initially anyway). 
    The <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
> details how to 
    do so in the sections <I
CLASS="EMPHASIS"
>What is password sync and should I use it ?</I
> and <I
CLASS="EMPHASIS"
>    How do I get remote password (unix and SMB) changing working ?</I
></P
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN286"
>Using PAM</A
></H2
><P
>Pam enabled systems have a much better solution available. The Samba 
        PDC server will offer to authenticate domain users to other processes 
        (either on this server or on the domain). With a suitable pam stack 
        such as <A
HREF="http://www.csn.ul.ie/~airlied/pam_smb/"
TARGET="_top"
> Pam_smb</A
> 
        you can get any pam aware application looking to the samba password and 
        can leave the password field in <TT
CLASS="FILENAME"
>/etc/shadow</TT
>
        or <TT
CLASS="FILENAME"
>/etc/passwd</TT
> invalid.</P
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN292"
>Authenticating other Samba Servers</A
></H2
><P
>In a domain that has a number of servers you only need one password database. 
        The machines that don't have their own ask the PDC  to check for them.
    This will work fine for a domain controlled by either a Samba or NT machine.</P
><P
>To do so the Samba machine must be told to refer to the PDC and where the PDC is.
    See the section in the NTDom <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
> called <I
CLASS="EMPHASIS"
>How do I get my samba server to 
    become a member ( not PDC ) of an NT domain?</I
></P
></DIV
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN298"
>Chapter 6. Background</A
></H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN300"
></A
></H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN302"
>History</A
></H2
><P
>It might help you understand the limitations of the PDC in Samba if you
        read something of its history. Well, the history as I understand it anyway.</P
><P
>For many years the Samba team have been developing Samba, some time ago 
        a number of people, possibly lead by Luke Leighton started contributing NT 
        PDC stuff. This was added to the 'head' stream (that would eventually
        become the next version) and later to a seperate stream (NTDom). They did so 
        much that eventually this development stream was so mutated that it could not 
        be merged back into the main stream and was abandoned towards the end of 1999. 
        And that was very sad because many users, myself include had become heavily
        dependant on the NTController facilities it offered. Oh well...</P
><P
>The NTDom team continued on with their new found knowledge however and 
        built the TNG stream. Intended to be carefully controlled so that it can be 
        merged back into the main stream and benefiting from what they learnt, it is 
        a very different product to the origional NTDom product. However, for a 
    number of reasons, the merge did not take place and now TNG is being developed 
    at <A
HREF="http://www.samba-tng.org"
TARGET="_top"
>http://www.samba-tng.org</A
>.</P
><P
>Now, the NTDom things that the main strean 2.0.x version does is based more 
        on the old (initial version) abandoned code than on the TNG ideas. It appears 
        that version 2.2.0 will also include an improved version of the 2.0.7 domain 
        controller charactistics, not the TNG ways. The developers have indicated 
        that 2.2.0 will be further developed incrementally and the ideas from TNG 
        incorporated into it.</P
><P
>One more little wriggle is worth mentioning. At one stage the NTDom 
        stream was called Samba 2.1.0-prealpha and similar names. This is most 
        unfortunate because at least one book published advises people who want to 
        use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon 
        be called 2.2.0  and NOT officially supporting NTDom Controlling functions, 
        the potential for confusion is certainly there.</P
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN310"
>The Future</A
></H2
><P
>There is a document on the Samba mirrors called <I
CLASS="EMPHASIS"
>'Development'
        </I
>. It offers the 'best guess'   of what is planned for future releases 
        of Samba.</P
><P
>The future of Samba as a Primary Domain Controller appears rosie, however 
        be aware that its the future, not the present. The developers are strongly committed 
        to building a full featured PDC into Samba but it will  take time. If this 
        version does not meet your requirements then you should consider (in no particular 
        order) :</P
><P
></P
><UL
><LI
><P
> Wait. No, we don't know how long. Repeated asking won't help.</P
></LI
><LI
><P
>Investigate the development versions, TNG perhaps or HEAD where new code is being added
        all the time. Realise that development code is often unstable, poorly documented and subject to change.
        You will need to use cvs to download development versions.</P
></LI
><LI
><P
>Join one of the Samba mailing lists so that you can find out 
        what is happening on the 'bleeding edge'.</P
></LI
></UL
></DIV
><DIV
CLASS="SECT2"
><HR><H2
CLASS="SECT2"
><A
NAME="AEN322"
>Getting further help</A
></H2
><P
>This document cannot possibly answer all your questions. Please understand that its very
        likely that someone has been confrounted by the same problem that you have. The 
    <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
>
    discusses a number of possible paths to take to get further help :</P
><P
></P
><UL
><LI
><P
>Documents on the Samba Sites.</P
></LI
><LI
><P
>Other web sites.</P
></LI
><LI
><P
>Mailing list.</P
></LI
></UL
><P
>There is some discussion about guide lines for using the Mailing Lists on the 
    accompanying <A
HREF="samba-pdc-faq.html"
TARGET="_top"
>FAQ</A
>,
    please read them before posting.</P
></DIV
></DIV
></DIV
></DIV
></BODY
></HTML
>