[Table of Contents] [Previous]
[Next]
2.1. How do I download the latest Samba NT Domain Controller code?
Before continuing, please be aware that the development branch of Samba changes very
rapidly. Recently there has been an avaerage of 20 code check-ins a day. You've been
warned!
For general information on accessing the samba source code via CVS, see http://cvs.samba.org/cvs.html
To download the latest Samba Domain Controller source code
- Obtain a recent copy of the cvs client binary. The cvs source code is available from ftp://download.cyclic.com/pub/
- Now run the following command
cvs -d :pserver:cvs@samba.org:/cvsroot login
when you are prompted for a password, enter 'cvs' without the quotes.
- Now run the command
cvs -d :pserver:cvs@samba.org:/cvsroot co samba
- To update your source code run the following command
cvs update -d -P
If you want to update the entire archive of the main branch code make sure that you are
located in the top directory of the samba tree ( ie. the samba directory ).
2.2. How do I get my NT Workstation / Server to login to
the Samba controlled Domain?
- Obtain the latest main branch samba code ( see question 2.1)
- Set up samba with encrypted passwords: see ENCRYPTION.txt (probably out of date: you no
longer need the DES libraries, but other than that, ENCRYPTION.txt is current).
At this point, it is advisable to test that your samba server is accessible correctly with
encrypted passwords, before progressing with any of the NT workstation-specific bits: it's
up to you.
To create the machine account on the Samba PDC, first create an account
in /etc/passwd for the username workstation_name$. Currently the uid is all
that will be used and this is to ensure that the samba generated machine RID for the
worstation account will be unique. Therefore you should not reuse unix uid's in
/etc/passwd. The shell or home directory fields in /etc/passwd are not used for now
and can be set to /bin/False and /dev/null respectively.
Here are some example entries:
ws1$:*:801:800:NT Workstation 1:/dev/null:/bin/false
ws2$:*:802:800:NT Workstation 2:/dev/null:/bin/false
Now run the following command
smbpasswd -a -m workstation_name
This will create an entry in the private/smbpasswd file in the form of
workstation_name$:uid:LM_XXX:NT_XXX:[W ]:LTC-XXXX:
The LM_XXX and NT_XXX fields are the ascii representations of the 16 byte LanMan and NT
MD4 hashes respectively of the password workstation_name.
When a machine joins a domain it uses a default password (i.e. its netbios name in
lower case letters). Once it has successfully joined the domain, the client will
change its password to some random value using the old password as the encryption key.
Therefore, if you must rejoin the domain, you must reset the pasword for the workstation
trust account on the sersver.
If using NT server to log in, run the User Manager for Domains, and
grant "Everyone" (or "Authenticated Users assuming NT4SP3 or higher) the
capability to Log in Locally , which you would have to do even if you were
logging in to another NT PDC instead of a Samba PDC.
Set up the following parameters in smb.conf
; substitute your workgroup here
workgroup = SAMBA
; tells workstations to use SAMBA as its Primary Domain Controller.
domain logons = yes
- Starting smbd will create a file name private/SAMBA.SID with permissions rw-r--r--. The
file contains the domain SID for the samba PDC. The filename will differ depending on the
value of the workgroup parameter. If the contents of this file change, no
domain members will be able to logon and will need to be readded to the domain again.
Guard it carefully!
- Make sure samba is running before the next step is carried out. if this is your first
time, just for fun you might like to switch the debug log level to about 20. the NT pipes
produces some very pretty output when decoding requests and generating responses, which
would be particularly useful to see in tcpdump at some point.
- In the NT Network Settings, change the domain to SAMBA. Do not attempt to create an
account using the other part of the dialog---it will fail at present. You should get
a wonderful message saying "Welcome to the SAMBA Domain."
If you don't, then please first increase your debug log levels and also get a tcpdump (or
preferably NetMonitor) trace and examine it carefully. You should see a NETLOGON, a
SAMLOGON on UDP port 138. If you don't, then you probably don't have "domain logons =
yes" or there is some other problem in resolving the NetBIOS name SAMBA<1c>.
On port 139, you should see a LSA_OPEN_POLICY, two LSA_QUERY_INFOs (one for a domain SID
of S-1-3... and another for S-1-5) and then an LSA_CLOSE or two. You may see a pipe
connection to a wkssvc pipe, and you may also see a "Net Server Get Info" being
issued on the srvsvc pipe.
Assuming you got the Welcome message, go through the obligatory reboot (the NT box, not
the Samba server).
2.3. When I try to join the domain I get the message "The
machine account for this computer either does not exist or is not accessable."
First thing to do is to make sure that you have the entry correct for the machine
account in smbpasswd file on the Samba PDC. If you added the account manually rather
than using the smbpasswd utility, make sure that the account name is the machine netbios
name with a '$' appended to it ( ie. computer_name$ ) and the password is the machine name
in **lower** case letters. Also make sure that the account type is [W
]. Some people have reported that
inconsistent subnet masks between the Samba server and the NT client have caused this
problem. Make sure that these are consistent for both client and server.
2.4. I successfully joined the Samba controlled domain, but
now I can't login!
- When pressing Ctrl-Alt-Delete, the NT login box should have three entries. If
there is a delay of about twenty seconds between pressing Ctrl-Alt-Delete and the
appearance of this login dialog, then there might be a problem: at this stage the
workstation is issuing an LSA_ENUMTRUSTEDDOMAIN request
The domain box should have two entries: the hostname and the SAMBA domain. Any local
accounts are under the hostname domain. Global groups are defined using the "domain group map" parameter. Select the SAMBA
domain, and type in a valid username and password for which there is a valid entry in the
samba server's smbpasswd LM/NT OWF database.
You should see an LSA_REQ_CHAL, followed by LSA_AUTH2, LSA_NET_SRV_PWSET, and
LSA_SAM_LOGON. The SAM Logon will be particularly large (the response can be approximately
600 bytes) as it contains user info.
Also, there will probably be a "Net Server Get Info" and a "Net Share
Enum" amongst this lot. If the SAM Logon is successful, the dialog should disappear,
and a standard SMB connection established to download the profile specified in the SAM
Logon (if it was).
At this point, you _may_ encounter difficulties in creating a remote profile, and the
login may terminate (generating an LSA_SAM_LOGOFF). If this occurs, then either find an
existing profile on the samba server and copy it into the location specified by the
"logon path" smb.conf parameter for the user logging in, or log in on the local
machine, and use the System | Profiles control panel to make a copy of the _local_ profile
onto the samba server. This process is described and documented in the NT Help Files.
- Play around. Look at the Samba Server: see if it can be found in the browse lists. Check
that it is accessible; run some applications. Generally stress things. Laugh a lot.
Logout of the NT machine (generating an LSA_SAM_LOGOFF) and log back in again. Try logging
in two users simultaneously. Try logging the same user in twice. Make Samba fall
over, and then send bug reports to us, with NTDOM: at the start of the subject line, as samba-bugs@samba.org. Join the samba-ntdom@samba.org mailing list: help with or
watch the latest developments.
2.5. What's the status of print spool
(\PIPE\spoolss) support in the NTDOM code?
The implementation of support for .\spoolss pipe is about 75% done but has not been
checked into the HEAD branch code (well, not true exactly...parts of it have). The
current solution implemented in Samba 2.0 is to cause the NT box to thunk back down to the
LanMan printing calls. If you add a printer from a Samba 2.0 server, the port should
appear in the connection as a LanMan printer port.
2.6. I keep getting the message "trust account xxx should
be in DOMAIN_GROUP_RID_USERS." What do I need to do?
Nothing. This is a note that one of the developers put in to remind him of a
issue that is yet to be resolved. It is harmless and should be ignored. If you
find it filling up your debug logs, you can set it to be logged at a higher level.
Edit passdb/sampass.c and locate the string. Then change the debug level from 0 to 3
or higher.
2.7 I joined the domain successfully but after upgrading to a
newer version of the Samba code I get the message, "The system can not log you on
(C000019B), Please try again or consult your system administrator" when attempting to
logon
This occurs when the domain SID stored in private/WORKGROUP.SID is
changed. For example, you remove the file and smbd automaticaaly creates a new one.
Or you are swapping back and forth between versions 2.0.x and the HEAD branch code
(not recommended). The only way to correct the problem is to
- Restore the original domain SID
- Remove the domain client from the domain and rejoin.
[Table of Contents] [Previous]
[Next]
This FAQ is maintained by Jerry
Carter E-mail comments / suggestions jerry@samba.org
All trademarks are the sole property of their respective owners.