summaryrefslogtreecommitdiff
path: root/docs/textdocs/NTDOMAIN.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/textdocs/NTDOMAIN.txt')
-rw-r--r--docs/textdocs/NTDOMAIN.txt127
1 files changed, 127 insertions, 0 deletions
diff --git a/docs/textdocs/NTDOMAIN.txt b/docs/textdocs/NTDOMAIN.txt
new file mode 100644
index 00000000000..f0a43b6ba5f
--- /dev/null
+++ b/docs/textdocs/NTDOMAIN.txt
@@ -0,0 +1,127 @@
+Contributor: Luke Kenneth Casson Leighton
+Created: October 20, 1997
+Updated: October 20, 1997
+
+Subject: NT Domain Logons
+===========================================================================
+
+As of 1.9.18alpha1, Samba supports logins for NT 4.0 Workstations, without
+the need, use or intervention of NT 4.0 Server. This document describes
+how to set this up. Over the continued development of the 1.9.18alpha
+series, this process (and therefore this document) should become simpler.
+
+The support is still experimental, so should be used at your own risk.
+
+NT is not as robust as you might have been led to believe: during the
+development of the Domain Logon Support, one person reported having to
+reinstall NT from scratch: their workstation had become totally unuseable.
+
+This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest.
+
+
+Domain Logons using 1.9.18alpha1
+================================
+
+1) compile samba with -DNTDOMAIN
+
+2) carry out the following unix commands:
+
+ touch /tmp/netlogon
+ touch /tmp/srvsvc
+ chmod 666 /tmp/netlogon
+ chmod 666 /tmp/srvsvc
+
+3) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out
+ of date: you no longer need the DES libraries, but other than that,
+ ENCRYPTION.txt is current).
+
+4) for each workstation, add a line to smbpasswd with a username of MACHINE$
+ and a password of "machine". this process will be automated in further
+ releases.
+
+5) if using NT server to log in, run the User Manager for Domains, and
+ add the capability to "Log in Locally" to the policies.
+
+6) set up the following parameters in smb.conf
+
+; substitute your workgroup here
+ workgroup = SAMBA
+
+; a description of domain sids can be found elsewhere.
+ domain sid = S-1-5-21-123-456-789-123
+
+; tells workstations to use SAMBA as its Primary Domain Controller.
+ domain logons = yes
+
+7) make sure samba is running before the next step is carried out. if
+ this is your first time, just for fun you might like to switch the
+ debug log level to about 10. the NT pipes produces some very pretty
+ output when decoding requests and generating responses, which would
+ be particularly useful to see in tcpdump at some point.
+
+8) In the NT Network Settings, change the domain to SAMBA. Do
+ not attempt to create an account using the other part of the dialog:
+ it will fail at present.
+
+ You should get a wonderful message saying "Welcome to the SAMBA Domain."
+
+ If you don't, then please first increase your debug log levels and also
+ get a tcpdump (or preferably NetMonitor) trace and examine it carefully.
+ You should see a NETLOGON, a SAMLOGON on UDP port 138. If you don't,
+ then you probably don't have "domain logons = yes" or there is some other
+ problem in resolving the NetBIOS name SAMBA<1c>.
+
+ On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one
+ for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE
+ or two. If when you get a connection to the SMB pipe NETLOGON, if /netlogon
+ access is refused, then you probably haven't granted the correct access
+ permissions on the /tmp/netlogon file. Likewise for the srvsvc file.
+
+ You may see a pipe connection to a wksta service being refused: this
+ is acceptable, we have found. You may also see a "Net Server Get Info"
+ being issued on the srvsvc pipe.
+
+ Assuming you got the Welcome message, go through the obligatory reboot...
+
+9) When pressing Ctrl-Alt-Delete, the NT login box should have three entries.
+ If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete
+ and the appearance of this login dialog, then there might be a problem:
+ at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request
+
+ The domain box should have two entries: the hostname and the SAMBA domain.
+ Any local accounts are under the hostname domain, from which you will be
+ able to shut down the machine etc. At present, we do not specify that
+ the NT user logging in is a member of any groups, so will have no
+ priveleges, including the ability to shut down the machine.
+
+ Select the SAMBA domain, and type in a valid username and password for
+ which there is a valid entry in the samba server's smbpasswd LM/NT OWF
+ database.
+
+ You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET,
+ and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response
+ can be approximately 600 bytes) as it contains user info.
+
+ Also, there will probably be a "Net Server Get Info" and a "Net Share Enum"
+ amongst this lot. If the SAM Logon is successful, the dialog should
+ disappear, and a standard SMB connection established to download the
+ profile specified in the SAM Logon (if it was).
+
+ At this point, you _may_ encounter difficulties in creating a remote
+ profile, and the login may terminate (generating an LSA_SAM_LOGOFF). If
+ this occurs, then either find an existing profile on the samba server and
+ copy it into the location specified by the "logon path" smb.conf parameter
+ for the user logging in, or log in on the local machine, and use the
+ System | Profiles control panel to make a copy of the _local_ profile onto
+ the samba server.
+
+10) Play around. Look at the Samba Server: see if it can be found in the
+ browse lists. Check that it is accessible; run some applications.
+ Generally stress things. Laugh a lot. Logout of the NT machine
+ (generating an LSA_SAM_LOGOFF) and log back in again. Try logging in
+ two users simultaneously. Try logging the same user in twice.
+ Make Samba fall over, and then send bug reports to us, with NTDOM: at
+ the start of the subject line, as "samba-bugs@samba.anu.edu.au".
+
+Your reports, testing, patches and criticism will help us get this right.
+