diff options
Diffstat (limited to 'docs/textdocs/NTDOMAIN.txt')
-rw-r--r-- | docs/textdocs/NTDOMAIN.txt | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/docs/textdocs/NTDOMAIN.txt b/docs/textdocs/NTDOMAIN.txt new file mode 100644 index 00000000000..f0a43b6ba5f --- /dev/null +++ b/docs/textdocs/NTDOMAIN.txt @@ -0,0 +1,127 @@ +Contributor: Luke Kenneth Casson Leighton +Created: October 20, 1997 +Updated: October 20, 1997 + +Subject: NT Domain Logons +=========================================================================== + +As of 1.9.18alpha1, Samba supports logins for NT 4.0 Workstations, without +the need, use or intervention of NT 4.0 Server. This document describes +how to set this up. Over the continued development of the 1.9.18alpha +series, this process (and therefore this document) should become simpler. + +The support is still experimental, so should be used at your own risk. + +NT is not as robust as you might have been led to believe: during the +development of the Domain Logon Support, one person reported having to +reinstall NT from scratch: their workstation had become totally unuseable. + +This *has* been reported to the NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM digest. + + +Domain Logons using 1.9.18alpha1 +================================ + +1) compile samba with -DNTDOMAIN + +2) carry out the following unix commands: + + touch /tmp/netlogon + touch /tmp/srvsvc + chmod 666 /tmp/netlogon + chmod 666 /tmp/srvsvc + +3) set up samba with encrypted passwords: see ENCRYPTION.txt (probably out + of date: you no longer need the DES libraries, but other than that, + ENCRYPTION.txt is current). + +4) for each workstation, add a line to smbpasswd with a username of MACHINE$ + and a password of "machine". this process will be automated in further + releases. + +5) if using NT server to log in, run the User Manager for Domains, and + add the capability to "Log in Locally" to the policies. + +6) set up the following parameters in smb.conf + +; substitute your workgroup here + workgroup = SAMBA + +; a description of domain sids can be found elsewhere. + domain sid = S-1-5-21-123-456-789-123 + +; tells workstations to use SAMBA as its Primary Domain Controller. + domain logons = yes + +7) make sure samba is running before the next step is carried out. if + this is your first time, just for fun you might like to switch the + debug log level to about 10. the NT pipes produces some very pretty + output when decoding requests and generating responses, which would + be particularly useful to see in tcpdump at some point. + +8) In the NT Network Settings, change the domain to SAMBA. Do + not attempt to create an account using the other part of the dialog: + it will fail at present. + + You should get a wonderful message saying "Welcome to the SAMBA Domain." + + If you don't, then please first increase your debug log levels and also + get a tcpdump (or preferably NetMonitor) trace and examine it carefully. + You should see a NETLOGON, a SAMLOGON on UDP port 138. If you don't, + then you probably don't have "domain logons = yes" or there is some other + problem in resolving the NetBIOS name SAMBA<1c>. + + On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one + for a domain SID of S-1-3... and another for S-1-5) and then an LSA_CLOSE + or two. If when you get a connection to the SMB pipe NETLOGON, if /netlogon + access is refused, then you probably haven't granted the correct access + permissions on the /tmp/netlogon file. Likewise for the srvsvc file. + + You may see a pipe connection to a wksta service being refused: this + is acceptable, we have found. You may also see a "Net Server Get Info" + being issued on the srvsvc pipe. + + Assuming you got the Welcome message, go through the obligatory reboot... + +9) When pressing Ctrl-Alt-Delete, the NT login box should have three entries. + If there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete + and the appearance of this login dialog, then there might be a problem: + at this stage the workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request + + The domain box should have two entries: the hostname and the SAMBA domain. + Any local accounts are under the hostname domain, from which you will be + able to shut down the machine etc. At present, we do not specify that + the NT user logging in is a member of any groups, so will have no + priveleges, including the ability to shut down the machine. + + Select the SAMBA domain, and type in a valid username and password for + which there is a valid entry in the samba server's smbpasswd LM/NT OWF + database. + + You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET, + and LSA_SAM_LOGON. The SAM Logon will be particularly large (the response + can be approximately 600 bytes) as it contains user info. + + Also, there will probably be a "Net Server Get Info" and a "Net Share Enum" + amongst this lot. If the SAM Logon is successful, the dialog should + disappear, and a standard SMB connection established to download the + profile specified in the SAM Logon (if it was). + + At this point, you _may_ encounter difficulties in creating a remote + profile, and the login may terminate (generating an LSA_SAM_LOGOFF). If + this occurs, then either find an existing profile on the samba server and + copy it into the location specified by the "logon path" smb.conf parameter + for the user logging in, or log in on the local machine, and use the + System | Profiles control panel to make a copy of the _local_ profile onto + the samba server. + +10) Play around. Look at the Samba Server: see if it can be found in the + browse lists. Check that it is accessible; run some applications. + Generally stress things. Laugh a lot. Logout of the NT machine + (generating an LSA_SAM_LOGOFF) and log back in again. Try logging in + two users simultaneously. Try logging the same user in twice. + Make Samba fall over, and then send bug reports to us, with NTDOM: at + the start of the subject line, as "samba-bugs@samba.anu.edu.au". + +Your reports, testing, patches and criticism will help us get this right. + |