From 46ed5a6acde3b2b43ee4c32ff4ace950dba79b8c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 21 May 2001 08:34:49 +0000 Subject: working on updates for the 2.2.1 release --- docs/htmldocs/Samba-HOWTO-Collection.html | 931 +++++++++++++++++++----------- docs/htmldocs/Samba-PDC-HOWTO.html | 520 +++++++++++------ docs/htmldocs/printer_driver2.html | 263 ++++++--- docs/htmldocs/rpcclient.1.html | 2 +- 4 files changed, 1106 insertions(+), 610 deletions(-) (limited to 'docs/htmldocs') diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 401f4272159..4f1bd067c0d 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -376,193 +376,198 @@ HREF="#AEN764" >
6.1. BackgroundPrerequisite Reading
6.2. Configuring the Samba Domain ControllerBackground
6.3. Creating Machine Trust Accounts and Joining Clients -to the DomainConfiguring the Samba Domain Controller
6.4. Common Problems and Errors
6.5. System Policies and Profiles
6.6. What other help can I get ?Creating Machine Trust Accounts and Joining Clients +to the Domain
6.6.1. URLs and similar6.4.1. Manually creating machine trust accounts
6.6.2. Mailing Lists6.4.2. Creating machine trust accounts "on the fly"
6.5. Common Problems and Errors
6.6. System Policies and Profiles
6.7. What other help can I get ?
6.8. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba
7. Unifed Logons between Windows NT and UNIX using Winbind
7.1. Abstract
7.2. Introduction
7.3. What Winbind Provides
7.3.1. Target Uses
7.4. How Winbind Works
7.4.1. Microsoft Remote Procedure Calls
7.4.2. Name Service Switch
7.4.3. Pluggable Authentication Modules
7.4.4. User and Group ID Allocation
7.4.5. Result Caching
7.5. Installation and Configuration
7.6. Limitations
7.7. Conclusion
8. UNIX Permission Bits and WIndows NT Access Control Lists
8.1. Viewing and changing UNIX permissions using the NT security dialogs
8.2. How to view file security on a Samba share
8.3. Viewing file ownership
8.4. Viewing file or directory permissions
8.4.1. File Permissions
8.4.2. Directory Permissions
8.5. Modifying file or directory permissions
8.6. Interaction with the standard Samba create mask parameters
8.7. Interaction with the standard Samba file attribute mapping
9. OS2 Client HOWTO
9.1. FAQs
9.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?
9.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?
9.1.3. Are there any other issues when OS/2 (any version) is used as a client?
9.1.4. How do I get printer driver download working for OS/2 clients?

will reveal that Windows NT always uses the NT driver - name. The is ok as Windows NT always requires that at least + name. This is ok as Windows NT always requires that at least the Windows NT version of the printer driver is present. However, Samba does not have the requirement internally. Therefore, how can you use the NT driver name if is has not @@ -3648,7 +3653,35 @@ CLASS="SECT1" CLASS="SECT1" >6.1. Background6.1. Prerequisite Reading

Before you continue readingin this chapter, please make sure +that you are comfortable with configuring basic files services +in smb.conf and how to enable and administrate password +encryption in Samba. Theses two topics are covered in the +smb.conf(5) +manpage and the Encryption chapter +of this HOWTO Collection.

6.2. Background

Version of Samba prior to release 2.2 had marginal capabilities to -act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2:

UNIX_INSTALL.html, please make sure +that your server is configured correctly before proceeding. Another good +resource in the smb.conf(5) man +page. The following functionality should work in 2.2:

  • domain logons for Windows NT 4.0/2000 clients +> domain logons for Windows NT 4.0/2000 clients.

Windows 2000 Service Pack 2 Clients

Samba 2.2.1 is required for PDC functionality when using Windows 2000 + SP2 clients. +

The following pieces of functionality are not included in the 2.2 release:

Beginning with Samba 2.2.0, we are proud to announce official -support for Windows NT 4.0 style domain logons from Windows NT -4.0 and Windows 2000 (including SP1) clients. This article -outlines the steps necessary for configuring Samba as a PDC. -It is necessary to have a working Samba server prior to implementing the -PDC functionality. If you have not followed the steps outlined in - UNIX_INSTALL.html, please make sure -that your server is configured correctly before proceeding. Another good -resource in the smb.conf(5) man -page.

Implementing a Samba PDC can basically be divided into 2 broad steps.

6.2. Configuring the Samba Domain Controller6.3. Configuring the Samba Domain Controller

The first step in creating a working Samba PDC is to @@ -3976,7 +4032,9 @@ CLASS="FILENAME" >

  • The server must be the domain master browser in order for Windows - client to locate the server as a DC. + client to locate the server as a DC. Please refer to the various + Network Browsing documentation included with this distribution for + details.

    • 6.3. Creating Machine Trust Accounts and Joining Clients +NAME="AEN870" +>6.4. Creating Machine Trust Accounts and Joining Clients to the Domain

    A machine trust account is a user account owned by a computer. +>A machine trust account is a samba user account owned by a computer. The account password acts as the shared secret for secure -communication with the Domain Controller. Hence the reason that -a Windows 9x host is never a true member of a domain because -it does not posses a machine trust account and thus has no shared -secret with the DC.

    On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in he same location +in the registry. A Samba PDC stores these accounts in the same location as user LanMan and NT password hashes (currently smbpasswd). However, machine trust accounts only possess and use the NT password hash.

    Because Samba requires machine accounts to possess a UNIX uid from +which an Windows NT SID can be generated, all of these accounts +must have an entry in /etc/passwd and smbpasswd. +Future releases will alleviate the need to create +/etc/passwd entries.

    There are two means of creating machine trust accounts.

    Creation of the account at the time of joining the domain. In this case, the session key of the administrative account used to join the client to the domain acts as an encryption key for setting the - password to a random value. + password to a random value (This is the recommended method).

    6.4.1. Manually creating machine trust accounts

    Because Samba requires machine accounts to possess a UNIX uid from -which an Windows NT SID can be generated, all of these accounts -will have an entry in /etc/passwd and smbpasswd. -Future releases will alleviate the need to create -/etc/passwd entries.

    The first step in creating a machine trust account by hand is to +create an entry for the machine in /etc/passwd. This can be done +using vipw or any 'add userr' command which is normally +used to create new UNIX accounts. The following is an example for a Linux +based Samba server:

    root# /usr/sbin/useradd -g 100 -d /dev/null -c machine_nickname -m -s /bin/false machine_name$

    The 

    doppy$:x:505:501:NTMachine:/dev/null:/bin/false
    doppy$:x:505:501:machine_nickname:/dev/null:/bin/false

    If you are manually creating the machine accounts, it is necessary -to add the /etc/passwd (or NIS passwd -map) entry prior to adding the smbpasswd -entry. The following command will create a new machine account -ready for use.

    Above, machine_nickname can be any descriptive name for the +pc i.e. BasementComputer. The machine_name absolutely must be +the netbios name of the pc to be added to the domain. The "$" must append the netbios +name of the pc or samba will not recognize this as a machine account

    Now that the UNIX account has been created, the next step is to create +the smbpasswd entry for the machine containing the well known initial +trust account password. This can be done using the smbpasswd(8) command +as shown here:

    machine_name is the machine's netbios -name.

    If you manually create a machine account, immediately join -the client to the domain. An open account like this -can allow intruders to gain access to user account information -in your domain.

    The second way of creating machine trust accounts is to add -them on the fly at the time the client is joined to the domain. -You will need to include a value for the

    Join the client to the domain immediately

    Manually creating a machine trust account using this method is the + equivalent of creating a machine account on a Windows NT PDC using + the "Server Manager". From the time at which the account is created + to the time which th client joins the domain and changes the password, + your domain is vulnerable to an intruder joining your domain using a + a machine with the same netbios name. A PDC inherently trusts + members of the domain and will serve out a large degree of user + information to such clients. You have been warned! +

    6.4.2. Creating machine trust accounts "on the fly"

    The second, and most recommended way of creating machine trust accounts +is to create them as needed at the time the client is joined to +the domain. You will need to include a value for the add user script -parameter. Below is an example I use on a RedHat 6.2 Linux system.

    In Samba 2.2, In Samba 2.2.1, only the root account can be used to create -machine accounts on the fly like this. Therefore, it is required to create +machine accounts like this. Therefore, it is required to create an entry in smbpasswd for root. The password @@ -4154,178 +4299,213 @@ CLASS="FILENAME" >/etc/passwd entry for security reasons.

    6.4. Common Problems and Errors6.5. Common Problems and Errors

    I cannot include a '$' in a machine name.

    • A 'machine name' in (typically) I cannot include a '$' in a machine name. +

      A 'machine name' in (typically) /etc/passwd -of the machine name with a '$' appended. FreeBSD (and other BSD -systems ?) won't create a user with a '$' in their name.

      The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use The problem is only in the program used to make the entry, once + made, it works perfectly. So create a user without the '$' and + use vipw to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique uid !

    • I get told "You already have a connection to the Domain...." -or "Cannot join domain, the credentials supplied conflict with an -existing set.." when creating a machine account.

      +

      This happens if you try to create a machine account from the -machine itself and already have a connection (e.g. mapped drive) -to a share (or IPC$) on the Samba PDC. The following command -will remove all network drive connections:

      This happens if you try to create a machine account from the + machine itself and already have a connection (e.g. mapped drive) + to a share (or IPC$) on the Samba PDC. The following command + will remove all network drive connections: +

      C:\WINNT\> net use * /d

      +

      Further, if the machine is a already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again.

      Further, if the machine is a already a 'member of a workgroup' that + is the same name as the domain you are joining (bad idea) you will + get this message. Change the workgroup name to something else, it + does not matter what, reboot, and try again. +

    • "The system can not log you on (C000019B)...."

      The system can not log you on (C000019B).... +

      I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try a gain or consult your -system administrator" when attempting to logon.

      This occurs when the domain SID stored in - This occurs when the domain SID stored in + private/WORKGROUP.SID is -changed. For example, you remove the file and smbd automatically -creates a new one. Or you are swapping back and forth between -versions 2.0.7, TNG and the HEAD branch code (not recommended). The -only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin.

    • "The machine account for this computer either does not -exist or is not accessible."

      The machine account for this computer either does not + exist or is not accessible. +

      When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". Whats -wrong ?

      When I try to join the domain I get the message "The machine account + for this computer either does not exist or is not accessible". Whats + wrong? +

      This problem is caused by the PDC not having a suitable machine account. -If you are using the This problem is caused by the PDC not having a suitable machine account. + If you are using the add user script method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working.

      Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine netbios name -with a '$' appended to it ( ie. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server.

      Alternatively if you are creating account entries manually then they + have not been created correctly. Make sure that you have the entry + correct for the machine account in smbpasswd file on the Samba PDC. + If you added the account using an editor rather than using the smbpasswd + utility, make sure that the account name is the machine netbios name + with a '$' appended to it ( ie. computer_name$ ). There must be an entry + in both /etc/passwd and the smbpasswd file. Some people have reported + that inconsistent subnet masks between the Samba server and the NT + client have caused this problem. Make sure that these are consistent + for both client and server. +

    • When I attempt to login to a Samba Domain from a NT4/W2K workstation, -I get a message about my account being disabled.

      +

      This problem is caused by a PAM related bug in Samba 2.2.0. This bug is -fixed in 2.2.1. Other symptoms could be unaccessible shares on -NT/W2K member servers in the domain or the following error in your smbd.log: -passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user%

      This problem is caused by a PAM related bug in Samba 2.2.0. This bug is + fixed in 2.2.1. Other symptoms could be unaccessible shares on + NT/W2K member servers in the domain or the following error in your smbd.log: + passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% +

      At first be ensure to enable the useraccounts with At first be ensure to enable the useraccounts with smbpasswd -e -%user%, this is normaly done, when you create an account.

      , this is normaly done, when you create an account. +

      In order to work around this problem in 2.2.0, configure the - In order to work around this problem in 2.2.0, configure the + account control flag in -/etc/pam.d/samba file as follows:

      file as follows: + 

      account required        pam_permit.so
      account required pam_permit.so +

      If you want to remain backward compatibility to samba 2.0.x use - If you want to remain backward compatibility to samba 2.0.x use + pam_permit.so, it's also possible to use -pam_pwdb.so. There are some bugs if you try to -use pam_unix.so, if you need this, be ensure to use -the most recent version of this file.

    6.5. System Policies and Profiles6.6. System Policies and Profiles

    Much of the information necessary to implement System Policies and @@ -4340,92 +4520,107 @@ Profiles and Policies in Windows NT 4.0

    Here are some additional details:

    What about Windows NT Policy Editor ?

    • What about Windows NT Policy Editor ? +

      To create or edit To create or edit ntconfig.pol you must use -the NT Server Policy Editor, poledit.exe which -is included with NT Server but not NT Workstation. -There is a Policy Editor on a NTws -but it is not suitable for creating Domain Policies. -Further, although the Windows 95 -Policy Editor can be installed on an NT Workstation/Server, it will not -work with NT policies because the registry key that are set by the policy templates. -However, the files from the NT Server will run happily enough on an NTws. -You need poledit.exe, common.adm and winnt.adm. It is convenient -to put the two *.adm files in c:\winnt\inf which is where -the binary will look for them unless told otherwise. Note also that that -directory is 'hidden'.

      The Windows NT policy editor is also included with the -Service Pack 3 (and later) for Windows NT 4.0. Extract the files using - The Windows NT policy editor is also included with the Service Pack 3 (and + later) for Windows NT 4.0. Extract the files using servicepackname /x, ie thats , + ie thats Nt4sp6ai.exe -/x for service pack 6a. The policy editor, Nt4sp6ai.exe /x for service pack 6a. The policy editor, + poledit.exe and the -associated template files (*.adm) should -be extracted as well. It is also possible to downloaded the policy template -files for Office97 and get a copy of the policy editor. Another possible -location is with the Zero Administration Kit available for download from Microsoft.

      and the associated template files (*.adm) should + be extracted as well. It is also possible to downloaded the policy template + files for Office97 and get a copy of the policy editor. Another possible + location is with the Zero Administration Kit available for download from Microsoft. +

    • Can Win95 do Policies ?

      +

      Install the group policy handler for Win9x to pick up group -policies. Look on the Win98 CD in Install the group policy handler for Win9x to pick up group + policies. Look on the Win98 CD in \tools\reskit\netadmin\poledit. -Install group policies on a Win9x client by double-clicking -grouppol.inf. Log off and on again a couple of -times and see if Win98 picks up group policies. Unfortunately this needs -to be done on every Win9x machine that uses group policies....

      If group policies don't work one reports suggests getting the updated -(read: working) grouppol.dll for Windows 9x. The group list is grabbed -from /etc/group.

      If group policies don't work one reports suggests getting the updated + (read: working) grouppol.dll for Windows 9x. The group list is grabbed + from /etc/group. +

    • How do I get 'User Manager' and 'Server Manager'

      +

      Since I don't need to buy an NT Server CD now, how do I get -the 'User Manager for Domains', the 'Server Manager' ?

      Since I don't need to buy an NT Server CD now, how do I get + the 'User Manager for Domains', the 'Server Manager' ? +

      Microsoft distributes a version of -these tools called nexus for installation on Windows 95 systems. The -tools set includes

      Microsoft distributes a version of these tools called nexus for + installation on Windows 95 systems. The tools set includes +

        Click here to download the archived file Click here to download the archived file ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE

        +

        The Windows NT 4.0 version of the 'User Manager for -Domains' and 'Server Manager' are available from Microsoft via ftp -from The Windows NT 4.0 version of the 'User Manager for + Domains' and 'Server Manager' are available from Microsoft via ftp + from ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE

        +

      6.6. What other help can I get ?6.7. What other help can I get ?

      There are many sources of information available in the form @@ -4471,10 +4670,15 @@ of mailing lists, RFC's and documentation. The docs that come with the samba distribution contain very good explanations of general SMB topics such as browsing.

      What are some diagnostics tools I can use to debug the domain logon -process and where can I find them?

      • What are some diagnostics tools I can use to debug the domain logon + process and where can I find them? +

        One of the best diagnostic tools for debugging problems is Samba itself. You can use the -d option for both smbd and nmbd to specifiy what @@ -4516,7 +4720,7 @@ CLASS="COMMAND" >

      An SMB enabled version of tcpdump is available from - http://www.tcpdup.org/

    • How do I install 'Network Monitor' on an NT Workstation -or a Windows 9x box?

      +

      Installing netmon on an NT workstation requires a couple of steps. The following are for installing Netmon V4.00.349, which comes @@ -4638,14 +4845,11 @@ CLASS="FILENAME" information on how to do this. Copy the files from a working Netmon installation.

    • The following is a list if helpful URLs and other links: +

      • 6.6.2. Mailing Lists

      How do I get help from the mailing lists ?

      • How do I get help from the mailing lists ? +

        There are a number of Samba related mailing lists. Go to There are a number of Samba related mailing lists. Go to http://samba.org, click on your nearest mirror -and then click on Support and then click on Samba related mailing lists.

        Samba related mailing lists. +

        For questions relating to Samba TNG go to - For questions relating to Samba TNG go to + http://www.samba-tng.org/ -It has been requested that you don't post questions about Samba-TNG to the -main stream Samba lists.

        If you post a message to one of the lists please observe the following guide lines :

        If you post a message to one of the lists please observe the following guide lines : +

        • How do I get off the mailing lists ?

          +

          To have your name removed from a samba mailing list, go to the - same place you went to to get on it. Go to http://lists.samba.org, click - on your nearest mirror and then click on , + click on your nearest mirror and then click on Support and - then click on Samba related mailing lists. Or perhaps see - here

          +

          Please don't post messages to the list asking to be removed, you will just - be referred to the above address (unless that process failed in some way...) -

        6.7. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba6.8. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

        This appendix was originally authored by John H Terpstra of the Samba Team -and is included here for posterity.

        Possibly Outdated Material

        This appendix was originally authored by John H Terpstra of + the Samba Team and is included here for posterity. +

        NOTE :

        Windows NT Server can be installed as either a plain file and print server (WORKGROUP workstation or server) or as a server that participates in Domain -Control (DOMAIN member, Primary Domain controller or Backup Domain controller).

        The same is true for OS/2 Warp Server, Digital Pathworks and other similar -products, all of which can participate in Domain Control along with Windows NT. -However only those servers which have licensed Windows NT code in them can be -a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.)

        To many people these terms can be confusing, so let's try to clear the air.

        Chapter 7. Unifed Logons between Windows NT and UNIX using Winbind

        7.1. Abstract

        7.2. Introduction

        7.3. What Winbind Provides

        7.3.1. Target Uses

        7.4. How Winbind Works

        7.4.1. Microsoft Remote Procedure Calls

        7.4.2. Name Service Switch

        7.4.3. Pluggable Authentication Modules

        7.4.4. User and Group ID Allocation

        7.4.5. Result Caching

        7.5. Installation and Configuration

        7.6. Limitations

        7.7. Conclusion

        Chapter 8. UNIX Permission Bits and WIndows NT Access Control Lists

        8.1. Viewing and changing UNIX permissions using the NT security dialogs

        8.2. How to view file security on a Samba share

        8.3. Viewing file ownership

        8.4. Viewing file or directory permissions

        8.4.1. File Permissions

        8.4.2. Directory Permissions

        8.5. Modifying file or directory permissions

        8.6. Interaction with the standard Samba create mask parameters

        8.7. Interaction with the standard Samba file attribute mapping

        Chapter 9. OS2 Client HOWTO

        9.1. FAQs

        9.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

        9.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

        9.1.3. Are there any other issues when OS/2 (any version) is used as a client?

        9.1.4. How do I get printer driver download working for OS/2 clients?

        How to Configure Samba 2.2.x as a Primary Domain ControllerHow to Configure Samba 2.2 as a Primary Domain ControllerHow to Configure Samba 2.2.x as a Primary Domain ControllerHow to Configure Samba 2.2 as a Primary Domain Controller
        Background

        Note: Author's Note : This document -is a combination of David Bannon's Samba 2.2 PDC HOWTO -and the Samba NT Domain FAQ. Both documents are superceeded by this one.

        This document is a combination +of David Bannon's Samba 2.2 PDC HOWTO and the Samba NT Domain FAQ. +Both documents are superceeded by this one.

        Version of Samba prior to release 2.2 had marginal capabilities to act as a Windows NT 4.0 Primary Domain Controller (PDC). The following -functionality should work in 2.2.0:

        • domain logons for Windows NT 4.0/2000 clients

          domain logons for Windows NT 4.0/2000 clients +

        • placing a Windows 9x client in user level security

          placing a Windows 9x client in user level security +

        • retrieving a list of users and groups from a Samba PDC to - Windows 9x/NT/2000 clients

          retrieving a list of users and groups from a Samba PDC to + Windows 9x/NT/2000 clients +

        • roving user profiles

          roving (roaming) user profiles +

        • Windows NT 4.0 style system policies

          Windows NT 4.0 style system policies +

        • Windows NT 4 domain trusts

          Windows NT 4 domain trusts +

        • Sam replication with Windows NT 4.0 Domain Controllers - (i.e. a Samba PDC and a Windows NT BDC or vice versa)

          SAM replication with Windows NT 4.0 Domain Controllers + (i.e. a Samba PDC and a Windows NT BDC or vice versa) +

        • Adding users via the User Manager for Domains

          Adding users via the User Manager for Domains +

        • Acting as a Windows 2000 Domain Controller (i.e. Kerberos - and Active Directory)

          Acting as a Windows 2000 Domain Controller (i.e. Kerberos and + Active Directory) +

        UNIX_INSTALL.html, please make sure that your server -is configured correctly before proceeding. Another good +> UNIX_INSTALL.html, please make sure +that your server is configured correctly before proceeding. Another good resource in the

      • Configuring the Samba Domain Controller +> Configuring the Samba PDC

      • Creating machine trust accounts - and joining clients to the domain

        Creating machine trust accounts and joining clients + to the domain +

        • Configuring the Samba Domain Controller

        = \\homeserver\%u ; specify a generic logon script for all users - ; this is a relative path to the [netlogon] share + ; this is a relative **DOS** path to the [netlogon] share = 0700

        There are a couple of points to emphasize in the above -configuration.

        There are a couple of points to emphasize in the above configuration.

        As Samba 2.2 does not offer a complete implementation of group mapping between Windows NT groups and UNIX groups (this is really quite complicated to explain in a short space), you should refer to the domain admin users

        Creating Machine Trust Accounts and Joining Clients to the Domain

        First you must understand what a machine trust account is and what -it is used for.

        A machine trust account is a user account owned by a computer. +>A machine trust account is a samba user account owned by a computer. The account password acts as the shared secret for secure -communication with the Domain Controller. Hence the reason that -a Windows 9x host is never a true member of a domain because -it does not posses a machine trust account and thus has no shared -secret with the DC.

        On a Windows NT PDC, these machine trust account passwords are stored -in the registry. A Samba PDC stores these accounts in he same location +in the registry. A Samba PDC stores these accounts in the same location as user LanMan and NT password hashes (currently smbpasswd). -However, machine trust accounts only possess the NT password hash.

        There are two means of creating machine trust accounts.

        • Manual creation before joining the client - to the domain. In this case, the password is set to a known - value -- the lower case of the machine's netbios name.

        • Creation of the account at the time of - joining the domain. In this case, the session key of the - administrative account used to join the client to the domain acts - as an encryption key for setting the password to a random value.

        Because Samba requires machine accounts to possess a UNIX uid from which an Windows NT SID can be generated, all of these accounts -will have an entry in /etc/passwd and smbpasswd. @@ -408,7 +405,23 @@ Future releases will alleviate the need to create /etc/passwd entries.

        entries. For those who wish to avoid +editing the passwd file manually the command below should work well:

        root# /usr/sbin/useradd -g 100 -d /dev/null -c machine_nickname -m -s /bin/false machine_name$

        The 

        doppy$:x:505:501:NTMachine:/dev/null:/bin/false
        doppy$:x:505:501:machine_nickname:/dev/null:/bin/false

        If you are manually creating the machine accounts, it is necessary -to add the /etc/passwd (or NIS passwd -map) entry prior to adding the smbpasswd -entry. The following command will create a new machine account -ready for use.

        Above, machine_nickname can be any descriptive name for the +pc i.e. BasementComputer. The machine_name absolutely must be +the netbios name of the pc to be added to the domain. The "$" must append the netbios +name of the pc or samba will not recognize this as a machine account

        Now that the UNIX account has been created, +the following command shows how to create a new machine account, +enabling the machine to join the domain.

        There are two means of creating machine trust accounts.

        • Manual creation before joining the client to the domain. In this case, + the password is set to a known value -- the lower case of the + machine's netbios name. +

        • Creation of the account at the time of joining the domain. In + this case, the session key of the administrative account used to join + the client to the domain acts as an encryption key for setting the + password to a random value (This is the recommended method). +

        machine_name is the machine's netbios -name.

        If you manually create a machine account, immediately join -the client to the domain. An open account like this -can allow intruders to gain access to user account information -in your domain.

        The second way of creating machine trust accounts is to add -them on the fly at the time the client is joined to the domain. -You will need to include a value for the -If you manually create a +machine account, immediately join the client to the domain. +An open account like this can allow intruders to gain access to user +account information in your domain.

        The second, and again recommended way of creating machine trust accounts +is to add them on the fly at the time the client is joined to the domain. +You will need to include a value for the add user scriptadd user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

        In Samba 2.2.0, In Samba 2.2, only the root account can be used to create -machine accounts on the fly like this. Therefore, it is required -to create an entry in smbpasswd for root. -The password . The password +SHOULD be set to s different -password that the associated be set to s different password that the +associated /etc/passwd -entry for security reasons.

        entry for security reasons.

        Common Problems and Errors

        • I cannot include a '$' in a machine name.

          +

          A 'machine name' in (typically) A 'machine name' in (typically) /etc/passwd -of the machine name with a '$' appended. FreeBSD (and other BSD -systems ?) won't create a user with a '$' in their name.

          The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use The problem is only in the program used to make the entry, once + made, it works perfectly. So create a user without the '$' and + use vipw to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique uid !

        • I get told "You already have a connection to the Domain...." -when creating a machine account.

          This happens if you try to create a machine account from the -machine itself and use a user name that does not work (for whatever -reason) and then try another (possibly valid) user name. -Exit out of the network applet to close the initial connection -and try again.

          Further, if the machine is a already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again.

          I get told "Cannot join domain, the credentials supplied -conflict with an existing set.."

          This is the same basic problem as mentioned above, "You already -have a connection..."

          +

          This happens if you try to create a machine account from the + machine itself and already have a connection (e.g. mapped drive) + to a share (or IPC$) on the Samba PDC. The following command + will remove all network drive connections: +

          C:\WINNT\> net use * /d +

          Further, if the machine is a already a 'member of a workgroup' that + is the same name as the domain you are joining (bad idea) you will + get this message. Change the workgroup name to something else, it + does not matter what, reboot, and try again. +

        • "The system can not log you on (C000019B)...."

          The system can not log you on (C000019B).... +

          I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try a gain or consult your -system administrator" when attempting to logon.

          This occurs when the domain SID stored in - This occurs when the domain SID stored in + private/WORKGROUP.SID is -changed. For example, you remove the file and smbd automatically -creates a new one. Or you are swapping back and forth between -versions 2.0.7, TNG and the HEAD branch code (not recommended). The -only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin.

        • "The machine account for this computer either does not -exist or is not accessible."

          The machine account for this computer either does not + exist or is not accessible. +

          When I try to join the domain I get the message "The machine account + for this computer either does not exist or is not accessible". Whats + wrong ? +

          When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". Whats -wrong ?

          This problem is caused by the PDC not having a suitable machine account. + If you are using the add user script method to create + accounts then this would indicate that it has not worked. Ensure the domain + admin user system is working. +

          Alternatively if you are creating account entries manually then they + have not been created correctly. Make sure that you have the entry + correct for the machine account in smbpasswd file on the Samba PDC. + If you added the account using an editor rather than using the smbpasswd + utility, make sure that the account name is the machine netbios name + with a '$' appended to it ( ie. computer_name$ ). There must be an entry + in both /etc/passwd and the smbpasswd file. Some people have reported + that inconsistent subnet masks between the Samba server and the NT + client have caused this problem. Make sure that these are consistent + for both client and server. +

        • This problem is caused by the PDC not having a suitable machine account. -If you are using the When I attempt to login to a Samba Domain from a NT4/W2K workstation, + I get a message about my account being disabled. +

          This problem is caused by a PAM related bug in Samba 2.2.0. This bug is + fixed in 2.2.1. Other symptoms could be unaccessible shares on + NT/W2K member servers in the domain or the following error in your smbd.log: + passdb/pampass.c:pam_account(268) PAM: UNKNOWN ERROR for User: %user% +

          At first be ensure to enable the useraccounts with add user script = method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working.

          Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine netbios name -with a '$' appended to it ( ie. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server.

          smbpasswd -e + %user%          , this is normaly done, when you create an account. +

          In order to work around this problem in 2.2.0, configure the + account control flag in + /etc/pam.d/samba file as follows: + 

               account required        pam_permit.so
+

          If you want to remain backward compatibility to samba 2.0.x use + pam_permit.so, it's also possible to use + pam_pwdb.so. There are some bugs if you try to + use pam_unix.so, if you need this, be ensure to use + the most recent version of this file. +

        System Policies and Profiles

        What other help can I get ?

        URLs and similar

        Mailing Lists

        DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba

        There has been some initial confusion about what all this means +and whether or not it is a requirement for printer drivers to be +installed on a Samba host in order to support printing from Windows +clients. A bug existed in Samba 2.2.0 which made Windows NT/2000 clients +require that the Samba server possess a valid driver for the printer. +This is fixed in Samba 2.2.1 and once again, Windows NT/2000 clients +can use the local APW for installing drivers to be used with a Samba +served printer. This is the same behavior exhibited by Windows 9x clients. +As a side note, Samba does not use these drivers in any way to process +spooled files. They are utilized entirely by the clients.

        The following MS KB article, may be of some help if you are dealing with +Windows 2000 clients: How to Add Printers with No User +Interaction in Windows 2000

        http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP

        Configuration

        WARNING!!! Previous versions of Samba -recommended using a share named [printer$]. This name was taken from the -printer$ service created by Windows 9x clients when a -printer was shared. Windows 9x printer servers always have +>

        [print$] vs. [printer$]

        Previous versions of Samba recommended using a share named [printer$]. +This name was taken from the printer$ service created by Windows 9x +clients when a printer was shared. Windows 9x printer servers always have a printer$ service which provides read-only access via no password in order to support printer driver downloads.

        These parameters, including printer driver +>printer driver file parameter, are being depreciated and should not be used in new installations. For more information on this change, you should refer to the Migration section of this document.

        Migration section +of this document.

        Creating [print$]

        smb.conf(5) man page for more information on -configuring file shares.

        smb.conf(5) +man page for more information on configuring file shares.

        The requirement for guest ok = yesguest +ok = yes depends upon how your site is configured. If users will be guaranteed to have @@ -257,26 +306,26 @@ ALIGN="CENTER" ALIGN="LEFT" >

        In order to currently add a new driver to you Samba host, - one of two conditions must hold true:

        • The account used to connect to the Samba host - must have a uid of 0 (i.e. a root account)

        • The account used to connect to the Samba host - must be a member of the printer - admin list.

        Of course, the connected account must still possess access - to add files to the subdirectories beneath [print$].

        Setting Drivers for Existing Printers

        The initial listing of printers in the Samba host's -Printers folder will have no printer driver assigned to them. -The way assign a driver to a printer is to view the Properties -of the printer and either

        NO PRINTER DRIVER AVAILABLE FOR THIS PRINTER        . +Later versions changed this to a NULL string to allow the use +tof the local Add Printer Wizard on NT/2000 clients. +Attempting to view the printer properties for a printer +which has this default driver assigned will result in +the error message:

        Device settings cannot be displayed. The driver +for the specified printer is not installed, only spooler +properties will be displayed. Do you want to install the +driver now?

        Click "No" in the error dialog and you will be presented with +the printer properties window. The way assign a driver to a +printer is to either

          Support a large number of printers

          $ rpcclient pogo -U root%bleaK.er \ +>rpcclient pogo -U root%secret \ >

          Adding New Printers via the Windows NT APW

          printer admin. +>).

        • addprinter -commandadd +printer command must have a defined value. The program @@ -499,7 +569,7 @@ CLASS="COMMAND" CLASS="PARAMETER" >add printer -program and reparse to the add printer program is executed undet the context +> is executed under the context of the connected user, not necessarily a root account.

          There is a complementing deleteprinter -commanddelete +printer command for removing entries from the "Printers..." @@ -533,7 +603,7 @@ CLASS="SECT2" >

          Samba and Printer Ports

          The Imprints Toolset

          What is Imprints?

          Creating Printer Driver Packages

          The Imprints server

          The Installation Client

          Migration to from Samba 2.0.x to - 2.2.xMigration to from Samba 2.0.x to 2.2.x

          Given that printer driver management has changed - (we hope improved :) ) in 2.2.0 over prior releases, - migration from an existing setup to 2.2.0 can follow - several paths.

          Given that printer driver management has changed (we hope improved) in +2.2 over prior releases, migration from an existing setup to 2.2 can +follow several paths.

          Windows clients have a tendency to remember things for quite a while. +For example, if a Windows NT client has attached to a Samba 2.0 server, +it will remember the server as a LanMan printer server. Upgrading +the Samba host to 2.2 makes support for MSRPC printing possible, but +the NT client will still remember the previous setting.

          In order to give an NT client printing "amesia" (only necessary if you +want to use the newer MSRPC printing functionality in Samba), delete +the registry keys associated with the print server contained in +[HKLM\SYSTEM\CurrentControlSet\Control\Print]. The +spooler service on the client should be stopped prior to doing this:

          C:\WINNT\ > net stop spooler

          All the normal disclaimers about editing the registry go +here. Be careful, and know what you are doing.

          The spooler service should be restarted after you have finished +removing the appropriate registry entries by replacing the +stop command above with start.

          Windows 9x clients will continue to use LanMan printing calls +with a 2.2 Samba server so there is no need to perform any of these +modifications on non-NT clients.

          The following smb.conf parameters are considered to be - depreciated and will be removed soon. Do not use them - in new installations

          The following smb.conf parameters are considered to be depreciated and will +be removed soon. Do not use them in new installations

            printer driver file (G) -

          • printer driver (S) -

          • printer driver location (S) -

        • If you do not desire the new Windows NT - print driver support, nothing needs to be done. - All existing parameters work the same.

        • If you want to take advantage of NT printer - driver support but do not want to migrate the - 9x drivers to the new setup, the leave the existing - printers.def file. When smbd attempts to locate a - 9x driver for the printer in the TDB and fails it - will drop down to using the printers.def (and all - associated parameters). The make_printerdef - tool will also remain for backwards compatibility but will - be moved to the "this tool is the old way of doing it" - pile.

        • If you install a Windows 9x driver for a printer - on your Samba host (in the printing TDB), this information will - take precedence and the three old printing parameters - will be ignored (including print driver location).

        • printers.def - file into the new setup, the current only - solution is to use the Windows NT APW to install the NT drivers - and the 9x drivers. This can be scripted using smbclient - and and rpcclient. See the - Imprints installation client at http://imprints.sourceforge.net/ - for an example. -

        lookupnamesResolve s list +> - Resolve s list of usernames to SIDs.