2
<body bgcolor="#ffffff">
4
<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
5
hspace="10" align="left" />
7
<h1 class="head0">Chapter 4. Windows NT Domains</h1>
11
<p><a name="INDEX-1"/>In previous
12
chapters, we've focused on workgroup networking to
13
keep things simple and introduce you to networking with Samba in the
14
most painless manner we could find. However, workgroup computing has
15
its drawbacks, and for many computing environments, the greater
16
security and single logon of the Windows NT domain make it worthwhile
17
to spend the extra effort to implement a domain.</p>
19
<p>In addition to the domain features of
20
<a name="INDEX-2"/>that we discussed in <a href="ch01.html">Chapter 1</a>, having a domain makes it possible to use
21
<em class="firstterm">logon scripts</em><a name="INDEX-3"/> and <em class="firstterm">roaming profiles
22
</em><a name="INDEX-4"/>(also called<em class="firstterm"> roving
23
profiles</em><a name="INDEX-5"/>). A logon
24
script is a text file of commands that are run during startup, and a
25
profile is a collection of information regarding the desktop
26
environment, including the contents of the Start menu, icons that
27
appear on the desktop, and other characteristics about the GUI
28
environment that users are allowed to customize. A roaming profile
29
can follow its owner from computer to computer, allowing her to have
30
the same familiar interface appear wherever she logs on.</p>
32
<p>A Windows NT domain offers centralized control over the network.
33
<em class="firstterm">Policies</em><a name="INDEX-6"/> can be set up by an administrator to
34
define aspects of the users' environment and limit
35
the amount of control they have over the network and their computers.
36
It is also possible for administrators to perform remote
37
administration of the domain controllers from any Windows NT/2000/XP
40
<p>Samba 2.2 has the ability to act as a primary domain controller,
41
supporting domain logons from Windows 95/98/Me/NT/2000/XP computers
42
and allowing Windows NT/2000/XP<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> systems to join the domain as domain
43
member servers. Samba can also join a domain as a member server,
44
allowing the primary domain controller to be a Windows NT/2000 system
45
or another Samba server.</p>
47
<a name="samba2-CHP-4-NOTE-100"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
48
<p>Samba 2.2 does not support <a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>LDAP and <a name="INDEX-10"/>Kerberos authentication of Active
49
Directory, so it cannot act as a Windows 2000 Active Directory domain
50
controller. However, Samba can be added to an Active Directory domain
51
as a member server, with the Windows 2000 domain controllers running
52
in either mixed or native mode. The Windows 2000 server (even if it
53
is running in native mode) supports the Samba server by acting as a
54
<a name="INDEX-11"/><a name="INDEX-12"/>PDC emulator, using the Windows NT
55
style of authentication rather than the Kerberos style.</p>
58
<p>If you're adding a Samba server to a network that
59
has already been set up, you won't have to decide
60
whether to use a workgroup or a domain; you will simply have to be
61
compatible with what's already in place. If you do
62
have a choice, we suggest you evaluate both workgroup and domain
63
computing carefully before rolling out a big installation. You will
64
have a lot of work to do if you later need to convert one to the
65
other. One last thought on this matter is that Microsoft is
66
developing Windows in the direction of increased use of domains and
67
is intending that eventually Windows networks be composed solely of
68
Active Directory domains. If you implement a Windows NT domain now,
69
you'll be in a better position to transition to
70
Active Directory later, after Samba has better support for it.</p>
72
<p>In this chapter, we cover various topics directly related to using
73
Samba in a Windows NT domain, including:</p>
76
<p>Configuring and using Samba as the primary domain controller</p>
78
<p>Setting up Windows 95/98/Me systems to log on to the domain</p>
80
<p>Implementing user-level security on Windows 95/98/Me</p>
82
<p>Adding Windows NT/2000/XP systems to the domain</p>
84
<p>Configuring logon scripts, roaming profiles, and system policies</p>
86
<p>Adding a Samba server to a domain as a member server</p>
92
<div class="sect1"><a name="samba2-CHP-4-SECT-1"/>
94
<h2 class="head1">Samba as the Primary Domain Controller</h2>
96
<p><a name="INDEX-13"/>Samba 2.2
97
is able to handle the most desired functions of a primary domain
98
controller in a Windows NT domain, handling domain logons and
99
authentication for accessing shared resources, as well as supporting
100
logon scripts, roaming profiles, and system policies.</p>
102
<a name="samba2-CHP-4-NOTE-101"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
103
<p>You will need to use at least Samba 2.2 to ensure that PDC
104
functionality for Windows NT/2000/XP clients is present. Prior to
105
Samba 2.2, only limited user authentication for NT clients was
109
<p>In this section, we will show you how to configure Samba as a PDC for
110
use with Windows 95/98/Me and Windows NT/2000/XP clients. The two
111
groups of Windows versions interact differently within domains, and
112
in some cases are supported in slightly different ways. If you know
113
you are going to be using only Windows 95/98/Me or Windows
114
NT/2000/XP, you can set up Samba to support only that group. However,
115
there isn't any harm in supporting both at the same
118
<a name="samba2-CHP-4-NOTE-102"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
119
<p>If you would like more information on how to set up
120
<a name="INDEX-14"/>domains, see the file
121
<em class="filename">Samba-PDC-HOWTO.html</em><a name="INDEX-15"/>
122
in the <em class="filename">docs/htmldocs</em> directory of the Samba
123
source distribution.</p>
126
<p>Samba must be the only domain controller for the domain. Make sure
127
that a PDC isn't already active, and that there are
128
no backup domain controllers. Samba 2.2 is not able to communicate
129
with backup domain controllers, and having domain controllers in your
130
domain with unsynchronized data would result in a very dysfunctional
133
<a name="samba2-CHP-4-NOTE-103"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
134
<p>Although Samba 2.2 cannot function as, or work with, a Windows NT
135
<a name="INDEX-16"/><a name="INDEX-17"/>BDC, it is possible to set up
136
another Samba server to act as a backup for a Samba PDC. For further
137
information, see the file
138
<em class="filename">Samba-BDC-HOWTO.html</em><a name="INDEX-18"/>
139
in the <em class="filename">docs/htmldocs</em> directory of the Samba
140
source distribution.</p>
143
<p>Configuring Samba to be a PDC is a matter of modifying the
144
<em class="filename">smb.conf</em> file, creating some directories, and
145
restarting the server.</p>
148
<div class="sect2"><a name="samba2-CHP-4-SECT-1.1"/>
150
<h3 class="head2">Modifying smb.conf</h3>
152
<p>First you will need to start with an
153
<em class="filename">smb.conf</em><a name="INDEX-19"/><a name="INDEX-20"/> file that correctly configures Samba for
154
workgroup computing, such as the one we created in <a href="ch02.html">Chapter 2</a>, and insert the following lines into the
155
<tt class="literal">[global]</tt> section:</p>
157
<blockquote><pre class="code">[global]
158
; use the name of your Samba server instead of toltec
159
; and your own workgroup instead of METRAN
160
netbios name = toltec
162
encrypt passwords = yes
166
preferred master = yes
172
; logon path tells Samba where to put Windows NT/2000/XP roaming profiles
173
logon path = \\%L\profiles\%u\%m
174
logon script = logon.bat
177
; logon home is used to specify home directory and
178
; Windows 95/98/Me roaming profile location
179
logon home = \\%L\%u\.win_profile\%m
183
; instead of jay, use the names of all users in the Windows NT/2000/XP
184
; Administrators group who log on to the domain
185
domain admin group = root jay
187
; the below works on Red Hat Linux - other OSs might need a different command
188
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
190
<p>And after the <tt class="literal">[global]</tt> section, add these three
193
<blockquote><pre class="code">[netlogon]
194
path = /usr/local/samba/lib/netlogon
199
; you might wish to use a different directory for your
200
; Windows NT/2000/XP roaming profiles
201
path = /home/samba-ntprof
205
directory mask = 0700
211
map archive = yes</pre></blockquote>
213
<p>Now for the explanation. If you are comparing this example to the
214
configuration file presented in <a href="ch02.html">Chapter 2</a>, you
215
will notice that the first three parameter settings are similar. We
216
start out in the <tt class="literal">[global]</tt> section by setting the
217
NetBIOS name of the Samba server. We are using the default, which is
218
the DNS hostname, but are being explicit because the NetBIOS name is
219
used in UNCs that appear later in <em class="filename">smb.conf</em>. The
220
next two lines, setting the workgroup name and choosing to use
221
encrypted passwords, are identical to our
222
<em class="filename">smb.conf</em> file from <a href="ch02.html">Chapter 2</a>.
223
However, things are now a little different: even though it still
224
reads "workgroup", we are actually
225
setting the name of the domain. For a workgroup, using encrypted
226
passwords is optional; when using a domain, they are required.</p>
228
<p>The next four lines set up our Samba PDC to handle browsing services.
229
The line <tt class="literal">domain</tt> <tt class="literal">master</tt>
230
<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to be the
231
domain master browser, which handles browsing services for the domain
232
across multiple subnets if necessary. Although it looks very similar,
233
<tt class="literal">local</tt> <tt class="literal">master</tt>
234
<tt class="literal">=</tt> <tt class="literal">yes</tt> does not cause Samba to
235
be the master browser on the subnet, but merely tells it to
236
participate in browser elections and allow itself to win. (These two
237
lines are yet more default settings that we include to be clear.) The
238
next two lines ensure that Samba wins the elections. Setting the
239
<tt class="literal">preferred</tt> <tt class="literal">master</tt> parameter
240
makes Samba force an election when it starts up. The
241
<tt class="literal">os</tt> <tt class="literal">level</tt> parameter is set
242
higher than that of any other system, which results in Samba winning
243
that election. (At the time of this writing, an <tt class="literal">os</tt>
244
level of 65 was sufficient to win over all versions of
245
Windows—but make sure no other Samba server is set higher!) We
246
make sure Samba is both the <a name="INDEX-21"/><a name="INDEX-22"/>domain and local master browser
247
because Windows NT/2000 PDCs always reserve the domain master browser
248
role for themselves and because Windows clients require things to be
249
that way to find the primary domain controller. It is possible to
250
allow another computer on the network to win the role of local master
251
browser, but having the same server act as both domain and local
252
masters is simpler and more efficient.</p>
254
<p>The next two lines in the <tt class="literal">[global]</tt> section set up
255
Samba to handle the actual domain logons. We set
256
<tt class="literal">security</tt> <tt class="literal">=</tt>
257
<tt class="literal">user</tt> so that Samba will require a username and
258
password. This is actually the same as in the workgroup setup we
259
covered in <a href="ch01.html">Chapter 1</a> and <a href="ch02.html">Chapter 2</a> because it is the default. The only
260
reason we're including it explicitly is to avoid
261
confusion: another valid setting is <tt class="literal">security</tt>
262
<tt class="literal">=</tt> <tt class="literal">domain</tt>, but that is for
263
having another (Windows or Samba) domain controller handle the logons
264
and should never be found in the <em class="filename">smb.conf</em> of a
265
Samba PDC. The next line, <tt class="literal">domain</tt>
266
<tt class="literal">logons</tt> <tt class="literal">=</tt>
267
<tt class="literal">yes</tt>, is what tells Samba we want this server to
268
handle domain logons.</p>
270
<p>Defining a logon path is necessary for supporting
271
<a name="INDEX-23"/><a name="INDEX-24"/>roaming profiles for
272
Windows NT/2000/XP clients. The UNC
273
<tt class="literal">\\%L\profiles\%u</tt> refers to a share held on the
274
Samba server where the profiles are kept. The variables
275
<tt class="literal">%L</tt> and <tt class="literal">%u</tt> are replaced by Samba
276
with the name of the server and the username of the logged on user,
277
respectively. The section in <em class="filename">smb.conf</em> defining
278
the <tt class="literal">[profiles]</tt> share contains the definition of
279
exactly where the profiles are kept on the server.
280
We'll get back to this topic a bit later in this
283
<p>The <tt class="literal">logon</tt> <tt class="literal">script</tt>
284
<tt class="literal">=</tt> <tt class="literal">logon.bat</tt> line specifies the
285
name of an MS-DOS batch file that will be executed when the client
286
logs on to the domain. The path specified here is relative to the
287
<tt class="literal">[netlogon]</tt> share that is defined later in the
288
<em class="filename">smb.conf</em> file.</p>
290
<p>The settings of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
291
<tt class="literal">logon</tt> <tt class="literal">home</tt> have a couple of
292
purposes. Setting <tt class="literal">logon</tt> <tt class="literal">drive</tt>
293
<tt class="literal">=</tt> <tt class="literal">H</tt>: allows the home directory
294
of the user to be connected to drive letter H on the client. The
295
<tt class="literal">logon</tt> <tt class="literal">home</tt> parameter is set to
296
the location of the home directory on the server, and again,
297
<tt class="literal">%u</tt> is replaced at runtime by the logged on
298
user's username. The home directory is used to store
299
roaming profiles for Windows 95/98/Me clients. These parameters tie
300
into the <tt class="literal">[homes]</tt> share that we are adding, as we
301
will explain a bit later.</p>
303
<p>Setting <tt class="literal">time</tt> <tt class="literal">server</tt>
304
<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to advertise
305
itself as a <a name="INDEX-25"/>time service for the network. This is
308
<p>The <tt class="literal">domain</tt> <tt class="literal">admin</tt>
309
<tt class="literal">group</tt> parameter exists as a short-term measure in
310
Samba 2.2 to give Samba a list of users who have administrative
311
privileges in the domain. The list should contain any Samba users who
312
log on from Windows NT/2000/XP systems and are members of the
313
Administrators or Domain Admins groups, if roaming profiles are to
316
<p>The last parameter to add to the <tt class="literal">[global]</tt> section
317
is <tt class="literal">add</tt> <tt class="literal">user</tt>
318
<tt class="literal">script</tt>, and you will need it only if one or more
319
of your clients is a Windows NT/2000/XP system. We will tell you more
320
about this in <a href="ch04.html#samba2-CHP-4-SECT-2">Section 4.2</a> later in this chapter.</p>
322
<p>The rest of the additions to <em class="filename">smb.conf</em> are the
323
definitions for three <a name="INDEX-26"/><a name="INDEX-27"/>shares. The
324
<tt class="literal">[netlogon]</tt><a name="INDEX-28"/> share is necessary for Samba to
325
handle domain logons because Windows clients need to connect to it
326
during the logon process and will fail if the share does not exist.
327
Other than that, the only function of <tt class="literal">[netlogon]</tt>
328
is to be a repository for logon scripts and system-policy files,
329
which we shall cover in detail later in this chapter. The path to a
330
directory on the Samba server is given, and because the clients only
331
read logon scripts and system-policy files from the share, the
332
<tt class="literal">writable</tt> <tt class="literal">=</tt>
333
<tt class="literal">no</tt> definition is used to make the share read-only.
334
Users do not need to see the share, so we set
335
<tt class="literal">browsable</tt> <tt class="literal">=</tt>
336
<tt class="literal">no</tt> to make the share invisible.</p>
338
<p>The <tt class="literal">[profiles]</tt><a name="INDEX-29"/> share is needed for use with
339
Windows NT/2000/XP roaming profiles. The path points to a directory
340
on the Samba server where the profiles are kept, and in this case,
341
the clients must be able to read and write the profile data. The
342
<tt class="literal">create</tt> <tt class="literal">mask</tt> (read and write
343
permitted for the owner only) and <tt class="literal">directory</tt>
344
<tt class="literal">mask</tt> (read, write, and search permitted for the
345
owner only) are set up such that a user's profile
346
data can be read and written only by the user and not accessed or
347
modified by anyone else.</p>
349
<p>The <tt class="literal">[homes]</tt><a name="INDEX-30"/> share is necessary for our
350
definitions of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and
351
<tt class="literal">logon</tt> <tt class="literal">home</tt> to work. Samba uses
352
the <tt class="literal">[homes]</tt> share to add the home directory of the
353
user (found in <em class="filename">/etc/passwd</em> ) as a share. Instead
354
of appearing as "homes", the share
355
will be accessible on the client through a folder having the same
356
name as the user's username. We will cover this
357
topic in more detail in <a href="ch09.html">Chapter 9</a>.</p>
359
<p>At this point, you might want to run
360
<em class="filename">testparm</em><a name="INDEX-31"/> to check your
361
<em class="filename">smb.conf</em> file. <a name="INDEX-32"/><a name="INDEX-33"/></p>
367
<div class="sect2"><a name="samba2-CHP-4-SECT-1.2"/>
369
<h3 class="head2">Creating Directories on the Samba Server</h3>
371
<p><a name="INDEX-34"/><a name="INDEX-35"/>The
372
<tt class="literal">[netlogon]</tt> and <tt class="literal">[profiles]</tt>
373
shares defined in our new <em class="filename">smb.conf</em> file
374
reference directories on the Samba server, and it is necessary to
375
create those directories with the proper permissions:</p>
377
<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/lib/netlogon</b></tt>
378
# <tt class="userinput"><b>chmod 775 /usr/local/samba/lib/netlogon</b></tt>
379
# <tt class="userinput"><b>mkdir /home/samba-ntprof</b></tt>
380
# <tt class="userinput"><b>chmod 777 /home/samba-ntprof</b></tt></pre></blockquote>
382
<p>The directory names we use are just examples. You are free to choose
389
<div class="sect2"><a name="samba2-CHP-4-SECT-1.3"/>
391
<h3 class="head2">Restarting the Samba Server</h3>
393
<p><a name="INDEX-36"/>At this
394
point, the only thing left to do is restart the Samba server, and the
395
changes will be put into effect:</p>
397
<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb restart</b></tt></pre></blockquote>
399
<p>(or use whatever method works on your system, as discussed in <a href="ch02.html">Chapter 2</a>.) The server is now ready to accept domain
400
logons. <a name="INDEX-37"/></p>
410
<div class="sect1"><a name="samba2-CHP-4-SECT-2"/>
412
<h2 class="head1">Adding Computer Accounts</h2>
414
<p>To interact in a domain, a Windows NT/2000/XP system must be a member
415
of the domain. <a name="INDEX-38"/>Domain membership is implemented
416
using <em class="firstterm">computer
417
accounts,</em><a name="INDEX-39"/><a name="INDEX-40"/> which are similar to user
418
accounts and allow a domain controller to keep information with which
419
to authenticate computers on the network. That is, the domain
420
controller must be able to tell if requests that arrive from a
421
computer are coming from a computer that it
422
"knows" as being part of the
423
domain. Each Windows NT/2000/XP system in the domain has a computer
424
account in the domain controllers' database, which
425
on a Windows NT/2000 hosted domain is the <a name="INDEX-41"/>SAM
426
database. Although Samba uses a different method (involving the
427
<em class="filename">smbpasswd</em><a name="INDEX-42"/> file), it also treats computer accounts
428
similarly to user accounts.</p>
430
<p>To create a computer account, an administrator configures a Windows
431
NT/2000/XP system to be part of the domain. For Samba 2.2, the
432
"<a name="INDEX-43"/><a name="INDEX-44"/>domain
433
administrator" is the <a name="INDEX-45"/><a name="INDEX-46"/>root account on the Samba
434
server, and you will need to run the command:</p>
436
<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a root</b></tt></pre></blockquote>
438
<p>to add the root user to Samba's password database.
439
In this case, do not provide <em class="filename">smbpasswd</em> with the
440
same password as the actual root account on the server. Create a
441
different password to be used solely for creating computer accounts.
442
This will reduce the possibility of compromising the root password.</p>
444
<p>When the computer account is created, two things must happen on the
445
Samba server. An entry is added to the <em class="filename">smbpasswd</em>
446
file, with a "username" that is the
447
NetBIOS name of the computer with a dollar sign
448
(<tt class="literal">$</tt>) appended to it. This part is handled by the
449
<em class="emphasis">smbpasswd</em> command, and you do not need to
450
perform any additional action to implement it.</p>
452
<p>With Samba 2.2, an entry is also required in the
453
<em class="filename">/etc/passwd</em> file<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> to give the computer account a
454
user ID (UID) on the Samba server.</p>
456
<p>This account will never be used to
457
log in to the Unix system, so it should not be given a valid home
458
directory or login shell. To make this part work, you must set the
459
<tt class="literal">add</tt> <tt class="literal">user</tt>
460
<tt class="literal">script</tt> parameter in your Samba configuration file,
461
using a command that adds the entry in the proper manner. On our Red
462
Hat Linux system, we set <tt class="literal">add</tt>
463
<tt class="literal">user</tt> <tt class="literal">script</tt> to:</p>
465
<blockquote><pre class="code">/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote>
467
<p>This command adds an entry in <em class="filename">/etc/passwd</em>
468
similar to the following:</p>
470
<blockquote><pre class="code">aztec$:x:505:100::/dev/null:/bin/false</pre></blockquote>
472
<p>Again, notice that the username ends in a dollar sign. The user
473
account shown has a "home
474
directory" of <em class="filename">/dev/null</em>, a
475
group ID (GID) of 100, and a "login
476
shell" of <em class="filename">/bin/false</em>. The
477
<em class="emphasis">-M</em> flag in our <em class="emphasis">useradd</em>
478
command prevents it from creating the home directory. Samba replaces
479
the <tt class="literal">%u</tt> variable in the
480
<em class="emphasis">useradd</em> command with the NetBIOS name of the
481
computer, including the trailing dollar sign. The basic idea here is
482
to create an entry with a valid username and UID. These are the only
483
parts that Samba uses. It is important that the UID be unique, not
484
also used for other accounts—especially ones that are
485
associated with Samba users.</p>
487
<p>If you are using some other variety of Unix, you will need to replace
488
our <em class="emphasis">useradd</em> command with a command that performs
489
the same function on your system. If a command such as
490
<em class="emphasis">useradd</em> does not come with your system, you can
491
write a shell script yourself that performs the same function. In any
492
case, the command should add a password hash that does not correspond
493
to any valid password. For example, in the<em class="filename">
494
/etc/shadow</em> file of our Linux server, we find the
495
following two lines:</p>
497
<blockquote><pre class="code">jay:%1%zQ7j7ok8$D/IubyRAY5ovM3bTrpUCn1:11566:0:99999:7:::
498
zapotec$:!!:11625:0:99999:7:::</pre></blockquote>
500
<p>The first line is for <tt class="literal">jay</tt>'s user
501
account. The second field is the password hash—the long string
502
between the first and second colons. The second line is for the
503
computer account of <tt class="literal">zapotec</tt>, a domain member
504
server. Its "username" ends with a
505
dollar sign (<tt class="literal">$</tt>), and the second field in this case
506
has been set to "!!", which is an
507
arbitrary string not produced from any password. Therefore, there is
508
no valid password for this account on the Linux host. Just about any
509
ASCII string can be used instead of
510
"!!". For example, you could use
511
"DISABLED" instead.</p>
513
<a name="samba2-CHP-4-NOTE-104"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
514
<p>It is possible to <a name="INDEX-47"/><a name="INDEX-48"/><a name="INDEX-49"/><a name="INDEX-50"/>create the entries for
515
<em class="filename">/etc/passwd</em> and <em class="filename">smbpasswd</em>
516
manually; however, we suggest this method be used very carefully, and
517
only for initial testing, or as a last resort. The reason for this is
518
to maintain security. After the computer account has been created on
519
the server, the next Windows NT/2000/XP system on the network with a
520
matching NetBIOS name to log on to the domain will be associated with
521
this account. This allows crackers a window of opportunity to take
522
over computer accounts for their own purposes.</p>
530
<div class="sect1"><a name="samba2-CHP-4-SECT-3"/>
532
<h2 class="head1">Configuring Windows Clients for Domain Logons</h2>
534
<p><a name="INDEX-51"/>The client-side configuration for Windows
535
clients is really simple. All you have to do is switch from workgroup
536
to domain networking by enabling domain logons, and in the case of
537
Windows NT/2000/XP, also provide the root password you gave
538
<em class="filename">smbpasswd</em> for creating computer accounts. This
539
results in the Windows NT/2000/XP system becoming a member of the
543
<div class="sect2"><a name="samba2-CHP-4-SECT-3.1"/>
545
<h3 class="head2">Windows 95/98/Me</h3>
547
<p><a name="INDEX-52"/><a name="INDEX-53"/>To
548
enable domain logons with Windows 95/98/Me, open the Control Panel
549
and double-click the Network icon. Then click Client for Microsoft
550
Networks, and click the Properties button. At this point, you should
551
see a dialog box similar to <a href="ch04.html#samba2-CHP-4-FIG-1">Figure 4-1</a>. Select the
552
Logon to Windows Domain checkbox at the top of the dialog box, and
553
enter the name of the domain as you have defined it with the
554
<tt class="literal">workgroup</tt> parameter in the Samba configuration
555
file. Then click OK, and reboot the machine when asked.</p>
557
<div class="figure"><a name="samba2-CHP-4-FIG-1"/><img src="figs/sam2_0401.gif"/></div><h4 class="head4">Figure 4-1. Configuring a Windows 95/98 client for domain logons</h4>
558
<a name="samba2-CHP-4-NOTE-105"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
559
<p>If <a name="INDEX-54"/>Windows complains that you are already
560
logged into the domain, you probably have an active connection to a
561
share in the workgroup (such as a mapped network drive). Simply
562
disconnect the resource temporarily by right-clicking its icon and
563
choosing the Disconnect pop-up menu item.</p>
566
<p>When Windows reboots, you should see the standard logon dialog with
567
an addition: a field for a domain. The domain name should already be
568
filled in, so simply enter your password and click the OK button. At
569
this point, Windows should consult the primary domain controller
570
(Samba) to see if the password is correct. (You can check the log
571
files if you want to see this in action.) If it worked,
572
congratulations! You have properly configured Samba to act as a
573
domain controller for Windows 95/98/Me machines, and your client is
574
successfully connected.</p>
580
<div class="sect2"><a name="samba2-CHP-4-SECT-3.2"/>
582
<h3 class="head2">User-Level Security for Windows 95/98/Me</h3>
584
<p><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>Now that you have a primary domain
585
controller to authenticate users, you can implement much better
586
security for shares that reside on Windows 95/98/Me
587
systems.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> To enable this functionality, open the
588
Control Panel, double-click the Network icon, and click the Access
589
Control tab in the dialog box. The window should now look like <a href="ch04.html#samba2-CHP-4-FIG-2">Figure 4-2</a>.</p>
591
<div class="figure"><a name="samba2-CHP-4-FIG-2"/><img src="figs/sam2_0402.gif"/></div><h4 class="head4">Figure 4-2. Setting user-level access control</h4>
593
<p>Click the User-level access control radio button, and type in the
594
name of your domain in the text area. Click the OK button. If you get
595
the dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-3">Figure 4-3</a>, it means that
596
shares are already on the system.</p>
598
<div class="figure"><a name="samba2-CHP-4-FIG-3"/><img src="figs/sam2_0403.gif"/></div><h4 class="head4">Figure 4-3. Error dialog while changing to user-level access control</h4>
600
<p>In that case, you might want to cancel the operation and make a
601
record of each of the computer's shares, making it
602
easier to re-create them, and then redo this part. (To get a list of
603
shares, open an MS-DOS prompt window and run the
604
<tt class="literal">net</tt> <tt class="literal">view</tt>
605
<tt class="literal">\\</tt><em class="replaceable">computer_name</em>
606
command.) Otherwise, you will get a message asking you to reboot to
607
put the change in configuration into effect.</p>
609
<p>After rebooting, you can create shares with user-level access
610
control. To do this, right-click the folder you wish to share, and
611
select Sharing.... This will bring up the Shared Properties dialog
612
box, shown in <a href="ch04.html#samba2-CHP-4-FIG-4">Figure 4-4</a>.</p>
614
<div class="figure"><a name="samba2-CHP-4-FIG-4"/><img src="figs/sam2_0404.gif"/></div><h4 class="head4">Figure 4-4. The Shared Properties dialog</h4>
616
<p>Click the Shared As: radio button, and give the share a name and
617
comment. Then click the Add... button, and you will see the Add Users
618
dialog box, shown in <a href="ch04.html#samba2-CHP-4-FIG-5">Figure 4-5</a>.</p>
620
<div class="figure"><a name="samba2-CHP-4-FIG-5"/><img src="figs/sam2_0405.gif"/></div><h4 class="head4">Figure 4-5. The Add Users dialog</h4>
622
<p>What has happened is that Windows has contacted the primary domain
623
controller (in this case, Samba) and requested a list of domain users
624
and groups. You can now select a user or group and add it to one or
625
more of the three lists on the righthand side of the window—for
626
Read Only, Full Access, or Custom Control—by clicking the
627
buttons in the middle of the window. When you are done, click the OK
628
button. If you added any users or groups to the Custom Control list,
629
you will be presented with the Change Access Rights dialog box, shown
630
in <a href="ch04.html#samba2-CHP-4-FIG-6">Figure 4-6</a>, in which you can specify the rights
631
you wish to allow. Then click the OK button to close the dialog box.</p>
633
<div class="figure"><a name="samba2-CHP-4-FIG-6"/><img src="figs/sam2_0406.gif"/></div><h4 class="head4">Figure 4-6. The Change Access Rights dialog</h4>
635
<p>You are now returned to the Shared Properties dialog box, where you
636
will see the Name: and Access Rights: columns filled in with the
637
permissions that you just created. Click the OK button to finalize
638
the process. Remember, you will have to perform these actions on any
639
folders that you had previously shared using share-level security.
640
<a name="INDEX-58"/><a name="INDEX-59"/></p>
646
<div class="sect2"><a name="samba2-CHP-4-SECT-3.3"/>
648
<h3 class="head2">Windows NT 4.0</h3>
650
<p><a name="INDEX-60"/><a name="INDEX-61"/>To
651
configure Windows NT for domain logons, log in to the computer as
652
Administrator or another user in the Administrators group, open the
653
Control Panel, and double-click the Network icon. If it
654
isn't already selected, click on the Network
655
Identification tab.</p>
657
<p>Click the Change... button, and you should see the dialog box shown
658
in <a href="ch04.html#samba2-CHP-4-FIG-7">Figure 4-7</a>. In this dialog box, you can choose
659
to have the Windows NT client become a member of the domain by
660
clicking the checkbox marked Domain: in the Member of box. Then type
661
in the name of the domain to which you wish the client to log on; it
662
should be the same as the one you specified using the
663
<tt class="literal">workgroup</tt> parameter in the Samba configuration
664
file. Click the checkbox marked Create a Computer Account in the
665
Domain, and fill in "root" for the
666
text area labeled User Name:. In the Password: text area, fill in the
667
root password you gave <em class="emphasis">smbpasswd</em> for creating
668
computer accounts.</p>
670
<div class="figure"><a name="samba2-CHP-4-FIG-7"/><img src="figs/sam2_0407.gif"/></div><h4 class="head4">Figure 4-7. Configuring a Windows NT client for domain logons</h4>
671
<a name="samba2-CHP-4-NOTE-106"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
672
<p>If Windows complains that you are already logged in, you probably
673
have an active connection to a share in the workgroup (such as a
674
mapped network drive). Disconnect the resource temporarily by
675
right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
678
<p>After you press the OK button, Windows should present you with a
679
small dialog box welcoming you to the domain. Click the Close button
680
in the Network dialog box, and reboot the computer as requested. When
681
the system comes up again, the machine will automatically present you
682
with a logon screen similar to the one for Windows 95/98/Me clients,
683
except that the domain text area has a drop-down menu so that you can
684
opt to log on to either the local system or the domain. Make sure
685
your domain is selected, and log on to the domain using any
686
Samba-enabled user account on the Samba server.</p>
687
<a name="samba2-CHP-4-NOTE-107"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
688
<p>Be sure to select the correct domain in the Windows NT logon dialog
689
box. Once it is selected, it might take a moment for Windows NT to
690
build the list of available domains.</p>
693
<p>After you enter the password, Windows NT should consult the primary
694
domain controller (Samba) to see if the password is correct. Again,
695
you can check the log files if you want to see this in action. If it
696
worked, you have successfully configured Samba to act as a domain
697
controller for Windows NT machines. <a name="INDEX-62"/><a name="INDEX-63"/></p>
703
<div class="sect2"><a name="samba2-CHP-4-SECT-3.4"/>
705
<h3 class="head2">Windows 2000</h3>
707
<p><a name="INDEX-64"/><a name="INDEX-65"/>To
708
configure Windows 2000 for domain logons, log in to the computer as
709
Administrator or another user in the Administrators group, open the
710
Control Panel, and double-click the System icon to open the System
711
Properties dialog box. Click the Network Identification tab, and then
712
click the Properties button. You should now see the Identification
713
Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-8">Figure 4-8</a>.</p>
715
<div class="figure"><a name="samba2-CHP-4-FIG-8"/><img src="figs/sam2_0408.gif"/></div><h4 class="head4">Figure 4-8. The Identification Changes dialog</h4>
717
<p>Click the radio button labeled
718
"Domain:" and fill in the name of
719
your domain in the text-entry area. Then click the OK button. This
720
will bring up the Domain Username and Password dialog box. Enter
721
"root" for the username. For the
722
password, use the password that you gave to
723
<em class="emphasis">smbpasswd</em> for the root account.</p>
724
<a name="samba2-CHP-4-NOTE-108"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
725
<p>If Windows complains that you are already logged in, you probably
726
have an active connection to a share in the workgroup (such as a
727
mapped network drive). Disconnect the resource temporarily by
728
right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
731
<p>After you press the OK button, Windows should present you with a
732
small dialog box welcoming you to the domain. When you click the OK
733
button in this dialog box, you will be told that you need to reboot
734
the computer. Click the OK button in the System Properties dialog
735
box, and reboot the computer as requested. When the system comes up
736
again, the machine will automatically present you with a Log On to
737
Windows dialog box similar to the one shown in <a href="ch04.html#samba2-CHP-4-FIG-9">Figure 4-9</a>.</p>
739
<div class="figure"><a name="samba2-CHP-4-FIG-9"/><img src="figs/sam2_0409.gif"/></div><h4 class="head4">Figure 4-9. The Windows 2000 logon window</h4>
741
<p>If you do not see the Log on to: drop-down menu, click the Options
742
<< button and it will appear. Select your domain, rather than
743
the local computer, from the menu.</p>
744
<a name="samba2-CHP-4-NOTE-109"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
745
<p>Be sure to select the correct domain in the logon dialog box. Once it
746
is selected, it might take a moment for Windows to build the list of
747
available domains.</p>
750
<p>Enter the username and password of any Samba-enabled user in the User
751
name: and Password: fields, and either press the Enter key or click
752
the OK button. If it worked, your Windows session will start up with
753
no error dialogs. <a name="INDEX-66"/><a name="INDEX-67"/></p>
759
<div class="sect2"><a name="samba2-CHP-4-SECT-3.5"/>
761
<h3 class="head2">Windows XP Home</h3>
763
<p><a name="INDEX-68"/>You have our
764
condolences if you are trying to use the Home edition of Windows XP
765
in a domain environment! Microsoft has omitted support for Windows NT
766
domains from Windows XP Home, resulting in a product that is
767
ill-suited for use in a domain-based network.</p>
769
<p>On the client side, Windows XP Home users cannot log on to a Windows
770
NT domain. Although it is still possible to access domain resources,
771
a username and password must be supplied each time the user connects
772
to a resource, rather than the "single
773
signon" of a domain logon. Domain features such as
774
logon scripts and roaming profiles are not supported.</p>
776
<p>As a server, Windows XP Home cannot join a Windows NT domain as a
777
domain member server. It can serve files and printers, but only using
778
share-mode ("workgroup") security.
779
It can't even use user-mode security, as Windows
782
<p>Considering these limitations, we do not recommend Windows XP Home
783
for any kind of local area network computing.</p>
789
<div class="sect2"><a name="samba2-CHP-4-SECT-3.6"/>
791
<h3 class="head2">Windows XP Professional</h3>
793
<p><a name="INDEX-69"/><a name="INDEX-70"/>To configure Windows XP
794
Professional for domain logons, log in to the computer as
795
Administrator or another user in the Administrators group, open the
796
Control Panel in Classic View, and double-click the System icon to
797
open the System Properties dialog box. Click the Computer Name tab
798
and then click the Change... button. You should now see the Computer
799
Name Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-10">Figure 4-10</a>.</p>
801
<div class="figure"><a name="samba2-CHP-4-FIG-10"/><img src="figs/sam2_0410.gif"/></div><h4 class="head4">Figure 4-10. The Computer Name Changes dialog</h4>
803
<p>Click the radio button labeled
804
"Domain:", and fill in the name of
805
your domain in the text-entry area. Then click the OK button. This
806
will bring up the Domain Username and Password dialog box. Enter
807
"root" for the username. For the
808
password, use the password that you gave to
809
<em class="emphasis">smbpasswd</em> for the root account.</p>
810
<a name="samba2-CHP-4-NOTE-110"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
811
<p>If Windows complains that you are already logged in, you probably
812
have an active connection to a share in the workgroup (such as a
813
mapped network drive). Disconnect the resource temporarily by
814
right-clicking its icon and choosing the Disconnect pop-up menu item.</p>
817
<p>After you press the OK button, Windows should present you with a
818
small dialog box welcoming you to the domain. When you click the OK
819
button in this dialog box, you will be told that you need to reboot
820
the computer to put the changes into effect. Click the OK buttons in
821
the dialog boxes to close them, and reboot the computer as requested.
822
When the system comes up again, the machine will automatically
823
present you with a Log On to Windows dialog box similar to the one
824
shown in <a href="ch04.html#samba2-CHP-4-FIG-11">Figure 4-11</a>.</p>
826
<div class="figure"><a name="samba2-CHP-4-FIG-11"/><img src="figs/sam2_0411.gif"/></div><h4 class="head4">Figure 4-11. The Windows XP logon window</h4>
828
<p>If you get a dialog box at this point that tells you the domain
829
controller cannot be found, the solution is to change a registry
830
setting as follows.</p>
832
<p>Open the Start Menu and click the Run... menu item. In the text area
833
in the dialog box that opens, type in
834
"regedit" and click the OK button
835
to start the Registry Editor. You will be editing the registry, so
836
follow the rest of the directions very carefully. Click the
837
"<tt class="literal">+</tt>" button next
838
to the HKEY_LOCAL_MACHINE folder, and in the contents that open up,
839
click the "<tt class="literal">+</tt>"
840
button next to the SYSTEM folder. Continue in the same manner to open
841
CurrentControlSet, then Services, then Netlogon. (You will have to
842
scroll down many times to find Netlogon in the list of services.)
843
Then click the Parameters folder, and you will see items appear in
844
the right side of the window. Double-click
845
"requiresignorseal", and a dialog
846
box will open. In the Value data: text area, change the
848
"0" (zero), and click the OK
849
button, which modifies the registry both in memory and on disk. Now
850
close the Registry Editor and log off and back on again.</p>
852
<p>If you do not see the Log on to: drop-down menu, click the Options
853
<< button and it will appear. Select your domain from the menu,
854
rather than the local computer.</p>
855
<a name="samba2-CHP-4-NOTE-111"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
856
<p>Be sure to select the correct domain in the logon dialog box. Once it
857
is selected, it might take a moment for Windows to build the list of
858
available domains.</p>
861
<p>Enter the username and password of any Samba-enabled user in the User
862
name: and Password: fields, and either press the Enter key or click
863
the OK button. If it worked, your Windows session will start up with
864
no error dialogs. <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p>
874
<div class="sect1"><a name="samba2-CHP-4-SECT-4"/>
876
<h2 class="head1">Logon Scripts</h2>
878
<p><a name="INDEX-74"/>After a Windows client connects with a
879
domain controller (either to authenticate a user, in the case of
880
Windows 95/98/Me, or to log on to the domain, in the case of Windows
881
NT/2000/XP), the client downloads an MS-DOS batch file to run. The
882
domain controller supplies the file assuming one has been made
883
available for it. This batch file is the logon script and is useful
884
in setting up an initial environment for the user.</p>
886
<p>In a Unix environment, the ability to run such a script might lead to
887
a very complex initialization and deep customization. However, the
888
Windows environment is mainly oriented to the GUI, and the
889
command-line functions are more limited. Most commonly, the logon
890
script is used to run a <em class="emphasis">net</em> command, such as
891
<em class="emphasis">net use</em><a name="INDEX-75"/>, to connect a network drive letter,
894
<blockquote><pre class="code">net use T: \\toltec\test</pre></blockquote>
896
<p>This command will make our <tt class="literal">[test]</tt> share (from
897
<a href="ch02.html">Chapter 2</a>) show up as the T: drive in My Computer.
898
This will happen automatically, and T: will be available to the user
899
at the beginning of her session, instead of requiring her to run the
900
<em class="emphasis">net use</em> command or connect the T: drive using
901
the Map Network Drive function of Windows Explorer.</p>
903
<p>Another useful command is:</p>
905
<blockquote><pre class="code">net use H: /home</pre></blockquote>
907
<p>which <a name="INDEX-76"/><a name="INDEX-77"/>connects the
908
user's home directory to a drive letter (which can
909
be H:, as shown here, or some other letter, as defined by
910
<tt class="literal">logon</tt> <tt class="literal">drive</tt>). For this to work,
911
you must have a <tt class="literal">[homes]</tt> share defined in your
912
<em class="filename">smb.conf</em> file.</p>
914
<p>If you are using <a name="INDEX-78"/><a name="INDEX-79"/>roaming profiles, you should definitely
917
<a name="INDEX-80"/><blockquote><pre class="code">net time \\<em class="replaceable">toltec</em> /set /yes</pre></blockquote>
919
<p>in your logon script. (As usual, replace
920
"toltec" with the name of your
921
Samba PDC.) This will make sure the clocks of the Windows clients are
922
synchronized with the PDC, which is important for roaming profiles to
926
<div class="sect2"><a name="samba2-CHP-4-SECT-4.1"/>
928
<h3 class="head2">Creating a Logon Script</h3>
930
<p><a name="INDEX-81"/>In our
931
<em class="filename">smb.conf</em> file, we have the line:</p>
933
<a name="INDEX-82"/><blockquote><pre class="code">logon script = logon.bat</pre></blockquote>
935
<p>This defines the location and name of the logon script batch file on
936
the Samba server. The path is relative to the
937
<tt class="literal">[netlogon]</tt><a name="INDEX-83"/> share, defined later in the
940
<blockquote><pre class="code">[netlogon]
941
path = /usr/local/samba/lib/netlogon
943
browsable = no</pre></blockquote>
945
<p>With this example, the logon script is
946
<em class="filename">/user/local/samba/lib/netlogon/logon.bat</em>. We
947
include the directives <tt class="literal">writable</tt>
948
<tt class="literal">=</tt> <tt class="literal">no</tt>, to make sure network
949
clients cannot change anything in the <tt class="literal">[netlogon]</tt>
950
share, and also <tt class="literal">browsable</tt> <tt class="literal">=</tt>
951
<tt class="literal">no</tt>, which keeps them from even seeing the share
952
when they browse the contents of the server. Nothing in
953
<tt class="literal">[netlogon]</tt> should ever be modified by
954
nonadministrative users. Also, the permissions on the directory for
955
<tt class="literal">[netlogon]</tt> should be set appropriately (no write
956
permissions for "other" users), as
957
we showed you earlier in this chapter.</p>
959
<p>Notice also that the extension of our logon script is
960
<em class="filename">.bat</em><a name="INDEX-84"/>. Be careful about this—an extension
961
of <em class="filename">.cmd</em><a name="INDEX-85"/> will work for Windows NT/2000/XP clients,
962
but will result in errors for Windows 95/98/Me clients, which do not
963
recognize <em class="filename">.cmd</em> as an extension for batch files.</p>
965
<p>Because the logon script will be executed on a Windows system, it
966
must be in MS-DOS text-file format, with the end of line composed of
967
a carriage return followed by a linefeed. The Unix convention is a
968
newline, which is simply a linefeed character, so if you use a Unix
969
text editor to create your logon script, you must somehow make it use
970
the appropriate characters. With
971
<em class="emphasis">vim</em><a name="INDEX-86"/><a name="INDEX-87"/> (a clone of the <em class="emphasis">vi</em>
972
editor that is distributed with Red Hat Linux), the method is to
973
create a new file and use the command:</p>
975
<blockquote><pre class="code">:se ff=dos</pre></blockquote>
977
<p>to set the file format to MS-DOS style before typing in any text.
978
With <em class="emphasis">emacs</em><a name="INDEX-88"/>, the same can be done using the command:</p>
980
<blockquote><pre class="code">^X <em class="replaceable">Enter</em> f dos <em class="replaceable">Enter</em></pre></blockquote>
982
<p>where <tt class="literal">^X</tt> is a Control-X character and
983
<tt class="literal">Enter</tt> is a press of the Enter key. Another method
984
is to create a Unix-format file in any text editor and then convert
985
it to MS-DOS format using the
986
<em class="emphasis">unix2dos</em><a name="INDEX-89"/> program:</p>
988
<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos unix_file >logon.bat</b></tt></pre></blockquote>
990
<p>If your system does not have <em class="emphasis">unix2dos</em>,
991
don't worry. You can implement it yourself with the
992
following two-line Perl script:</p>
994
<blockquote><pre class="code">#!/usr/bin/perl
996
while (<FILE>) { s/$/\r/; print }</pre></blockquote>
998
<p>Or, you can use Notepad on a Windows system to write your script and
999
then drag the logon script over to a folder on the Samba server. In
1000
any case, you can <a name="INDEX-90"/>check the format of your script using
1001
the <em class="emphasis">od</em><a name="INDEX-91"/> command, like this:</p>
1003
<blockquote><pre class="code">$ <tt class="userinput"><b>od -c logon.bat</b></tt></pre></blockquote>
1005
<p>You should see output resembling this:</p>
1007
<blockquote><pre class="code">0000000 n e t u s e T : \ \ t o l
1008
0000020 t e c \ t e s t \r \n
1009
0000032</pre></blockquote>
1011
<p>The important detail here is that at the end of each line is a
1012
<tt class="literal">\r</tt> <tt class="literal">\n</tt>, which is a carriage
1013
return followed by a linefeed.</p>
1015
<p>Our example logon script, containing a single <em class="emphasis">net
1016
use</em> command, was created and set up in a way that allows
1017
it to be run successfully on any Windows client, regardless of which
1018
Windows version is installed on the client and which user is
1019
authenticating or logging on to the domain. But what if we need to
1020
have different users, computers, or Windows versions running
1021
different logon scripts?</p>
1023
<p>One method is to use variables inside the <a name="INDEX-92"/>logon script that cause commands to be
1024
conditionally executed. For details on how to do this, you can
1025
consult a reference on batch-file programming for MS-DOS and Windows
1026
NT command language. One such reference is <em class="citetitle">Windows NT
1027
System Administration</em>, published by
1030
<p>Windows batch-command language is very limited in functionality.
1031
Fortunately, Samba also supports a means by which customization can
1033
<em class="filename">smb.conf</em><a name="INDEX-93"/><a name="INDEX-94"/> file contains variables that can be
1034
used to insert (at runtime) the name of the server
1035
(<tt class="literal">%L</tt><a name="INDEX-95"/>), the username of the person who is
1036
accessing the server's resources
1037
(<tt class="literal">%u</tt><a name="INDEX-96"/>), or the computer name of the client
1038
system (<tt class="literal">%m</tt><a name="INDEX-97"/>). To give an example, if we set up the
1039
path to the logon script as:</p>
1041
<blockquote><pre class="code">logon script = %u/logon.bat</pre></blockquote>
1043
<p>we would then put a directory for each user in the
1044
<tt class="literal">[netlogon]</tt> share, with each directory named the
1045
same as the user's username, and in each directory
1046
we would put a customized <em class="filename">logon.bat</em> file. Then
1047
each user would have his own custom logon script. We will give you a
1048
better example of how to do this kind of thing in the next section,
1049
<a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a>.</p>
1051
<a name="samba2-CHP-4-NOTE-112"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
1052
<p>For more information on Samba configuration file variables, such as
1053
the <tt class="literal">%L</tt>, <tt class="literal">%u</tt>, and
1054
<tt class="literal">%m</tt> variables we just used, see <a href="ch06.html">Chapter 6</a> and <a href="appb.html">Appendix B</a>.</p>
1057
<p>When modifying and testing your logon script, don't
1058
just log off of your Windows session and log back on to make your
1059
script run. Instead, restart (reboot) your system before logging back
1060
on. Because Windows often keeps the <tt class="literal">[netlogon]</tt>
1061
share open across logon sessions, the reboot ensures that Windows and
1062
Samba have completely released and reconnected the
1063
<tt class="literal">[netlogon]</tt> share, and the new version of the logon
1064
script is being run while logging on.</p>
1066
<p>More information regarding <a name="INDEX-98"/>logon scripts can be found in the
1067
O'Reilly book, <em class="emphasis">Managing Windows NT
1068
Logons</em>. <a name="INDEX-99"/> <a name="INDEX-100"/><a name="INDEX-101"/></p>
1078
<div class="sect1"><a name="samba2-CHP-4-SECT-5"/>
1080
<h2 class="head1">Roaming Profiles</h2>
1082
<p><a name="INDEX-102"/>One benefit of the centralized
1083
authentication of Windows NT domains is that a user
1084
<a name="INDEX-103"/>can log on from more than just one
1085
computer. To help users feel more "at
1086
home" when logged on at a computer other than their
1087
usual one, Microsoft has added the ability for
1088
users' personal settings to
1089
"roam" from one computer to
1092
<p>All Windows versions can be configured individually for each user of
1093
the computer. Windows NT/2000/XP supports the ability to handle
1094
multiple user accounts, and Windows 95/98/Me can be configured for
1095
use by multiple users, keeping the configuration settings for each
1096
user separate. Each user can configure the
1097
computer's settings to her liking, and the system
1098
saves these settings as the user's
1099
<em class="firstterm">profile</em>, such that upon logging on to the
1100
system, the user is presented with her familiar desktop.</p>
1102
<p>Some of the settings, such as folder options or the image used for
1103
the desktop background, are held in the registry. Others, including
1104
the documents and folders appearing on the desktop and the contents
1105
of the Start menu, are stored as folders and files in the filesystem.</p>
1107
<p>When the profile is stored on the local system, it is called a
1108
<em class="firstterm">local profile</em><a name="INDEX-104"/>. On Windows NT, local profiles are
1109
stored in <em class="filename">C:\winnt\profiles</em>. On Windows 2000/XP,
1110
they can be found in <em class="filename">C:\Documents and Settings.
1111
</em>On Windows 95/98/Me, when configured for a single user
1112
(the default case), the local profile is scattered in places such as
1113
the registry and directories such as
1114
<em class="filename">C:\Windows\Desktop</em> and
1115
<em class="filename">C:\Windows\Start Menu</em>. When Windows 95/98/Me is
1116
configured for multiple users, the local profile of the preexisting
1117
user is moved to a folder in <em class="filename">C:\Windows\Profiles</em>
1118
that has the same name as the user, and any users that are
1119
subsequently added to the computer have their local profiles created
1120
in that directory as well. You can browse through the local profiles
1121
to see their structure—each has a <a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><a name="INDEX-109"/>registry file
1122
(<em class="filename">USER.DAT</em><a name="INDEX-110"/><a name="INDEX-111"/> for Windows 95/98/Me and
1123
<em class="filename">NTUSER.DAT</em><a name="INDEX-112"/><a name="INDEX-113"/> for Windows NT/2000/XP) and some folders
1124
that contain shortcuts and documents.</p>
1126
<p>A roaming profile is a user profile that is stored on a server and
1127
"follows" its owner around the
1128
network so that when the user logs on to the domain from another
1129
computer, his profile is downloaded from the server and his familiar
1130
desktop appears on that computer as well.</p>
1131
<a name="samba2-CHP-4-NOTE-113"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
1132
<p><a name="INDEX-114"/>Samba can
1133
support roaming profiles, and it is a fairly simple matter to
1134
configure it for them. However, this is one feature that we recommend
1135
you <em class="emphasis">do not</em> use, at least until you are sure you
1136
understand roaming profiles well and are very confident that you can
1137
implement them with no harm incurred. If you want to (or are required
1138
to) implement roaming profiles for your Windows clients, we suggest
1139
you first set up a small domain with a Samba server and a few Windows
1140
clients exclusively for the purposes of research and testing.
1141
<em class="emphasis">Under no circumstances should you attempt to implement
1142
roaming profiles in a careless or frivolous manner</em>.</p>
1146
<div class="sect2"><a name="samba2-CHP-4-SECT-5.1"/>
1148
<h3 class="head2">How Roaming Profiles work</h3>
1150
<p><a name="INDEX-115"/>We will start out by explaining to you
1151
how roaming profiles work when set up correctly. You will need a
1152
clear understanding of them to tell the difference between when they
1153
are working as they are designed and when they are not. In addition,
1154
roaming profiles can be a source of confusion for your users in many
1155
ways, and you should know how to detect when a problem with a client
1156
is related to roaming profile function or dysfunction.</p>
1158
<a name="samba2-CHP-4-NOTE-114"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
1159
<p><a name="INDEX-116"/>A definitive source of
1160
documentation on Windows NT roaming profiles is the Microsoft white
1161
paper <em class="citetitle">Implementing Policies and Profiles for Windows NT
1162
4.0</em><a name="INDEX-117"/>, which can be found at
1163
<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
1166
<p>During the domain logon process, the roaming profile is copied from
1167
the domain controller and used as a local profile during the
1168
user's logon session. When the user logs off the
1169
domain, the local profile is copied back to the domain controller and
1170
stored as the new roaming profile. When the local profile is changed,
1171
the server does not receive an update until the user logs off the
1172
domain or shuts down or reboots the client. The client does not send
1173
an update to the server during the logon session, and a client does
1174
not receive an update of a setting changed on another client during a
1175
logon session. When the user does log off, changes in the
1176
configuration settings in the local profile are sent to the server,
1177
and the updates of the roaming profile are available for the next
1180
<p>This simple behavior can lead to unexpected results when users are
1181
<a name="INDEX-118"/>logged on to the domain
1182
on more than one client at a time. If a user makes a change to the
1183
configuration settings on one client and then logs off, the settings
1184
can result in the roaming profile being modified accordingly. But the
1185
next client that logs off might cause those changes to be
1186
overwritten, and if so, the settings from the first client will be
1187
lost. The behavior of different Windows versions varies with regard
1188
to this, and we've seen a wide variety of
1189
behaviors—not always in alignment with
1190
Microsoft's documentation or even working the same
1191
way on separate occasions. Sometimes Windows will refuse to overwrite
1192
a profile, perhaps giving an "access
1193
denied" error, and at other times it will seem to
1194
work while producing odd side effects. A common source of confusion
1195
is what happens if a file is added to or deleted from the desktop,
1196
which is by default configured to be part of the profile. A deleted
1197
file might later reappear, and it is even possible for a file to
1198
irrecoverably disappear without warning (on Windows 95/98). Or maybe
1199
a file that is added to the desktop on one client never gets added to
1200
the roaming profile and fails to propagate to other clients. This
1201
behavior is somewhat improved on Windows 2000/XP, which attempts to
1202
merge items into the profile that are added on concurrently logged-on
1205
<p>One factor that comes into play is that Windows compares the
1206
<a name="INDEX-119"/>timestamps of the local and roaming
1207
profiles and can refuse to overwrite a roaming profile if it is newer
1208
than the local profile on the client, or vice versa. For this reason,
1209
it is important to keep the clocks of the Windows clients and the
1210
Samba PDC synchronized. We have already shown you how to do this,
1211
using the <em class="emphasis">net time
1212
\\</em><em class="replaceable">server</em>
1213
<em class="emphasis">/set</em> <em class="emphasis">/yes</em> command in the
1216
<p><a name="INDEX-120"/>Even when the server and clients are
1217
correctly configured, a number of things that can happen make things
1218
seem "broken." The most common
1219
occurrence is that some shortcuts on clients other than the one that
1220
created the roaming profile will not work. These shortcuts can exist
1221
on the desktop or as items in the Start menu. This behavior is a
1222
result of applications or files that exist on one computer but not
1223
others. Windows will display these shortcuts, but if they appear on
1224
the desktop, they will have a generic icon and will bring up an error
1225
message if a user double-clicks them.</p>
1227
<a name="samba2-CHP-4-NOTE-115"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
1228
<p>Because profiles can and usually do include the contents of the
1229
desktop and other folders, it is possible for the roaming profile to
1230
grow to a huge size due to actions of a user, such as creating new
1231
files on the desktop or copying files there. By default, Internet
1232
Explorer keeps its disk cache in the <em class="filename">Temporary Internet
1233
Files</em><a name="INDEX-121"/><a name="INDEX-122"/> folder in the profile and has been
1234
known to populate this directory with thousands of files. This can
1235
result in a huge roaming profile that causes network congestion and
1236
very large delays while users are logging on to the domain. (A fix
1237
for this can be found in article Q185255 in the Microsoft Knowledge
1241
<p>One behavior we've seen a few times is that if, for
1242
some reason (e.g., a network error or misconfiguration), the roaming
1243
profile is not available during the logon process, Windows will use
1244
the local profile on the client instead. When this happens, the user
1245
might receive an unfamiliar profile, and all the benefits of roaming
1246
profiles are lost for that logon session.</p>
1252
<div class="sect2"><a name="samba2-CHP-4-SECT-5.2"/>
1254
<h3 class="head2">Configuring Samba for Roaming Profiles</h3>
1256
<p><a name="INDEX-123"/><a name="INDEX-124"/>In an ideal world, different Windows
1257
versions would share the same roaming profile, allowing users to log
1258
on to the domain from any Windows client system, ranging from Windows
1259
95 to Windows XP, and enjoy their familiar settings. It would even be
1260
possible to be logged on concurrently from multiple clients, and a
1261
change made to the profile on any of them would quickly propagate to
1262
all the others. Settings in a roaming profile made on a client that
1263
didn't apply to another would be handled sanely.</p>
1265
<p>Unfortunately, this scenario does not work in reality, and it is
1266
important to maintain separate roaming profiles to prevent different
1267
Windows versions from using or modifying a roaming profile created
1268
by, and/or in use by, another version.</p>
1270
<p>We do this by using configuration file variables to point to
1271
different profile directories. If you look at <a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> in <a href="appb.html#samba2-APP-B#samba2-APP-B">Appendix B</a>, which shows
1272
the variables that can be used, you might be tempted to use the
1273
<a name="INDEX-125"/><tt class="literal">%a</tt> variable, which
1274
is replaced by the name of the operating system the client is
1275
running. However, this does not work because all of Windows 95/98/Me
1276
will be seen as the same operating system, and likewise for Windows
1277
2000/XP. So, we use <a name="INDEX-126"/><tt class="literal">%m</tt> to get the
1278
NetBIOS name of the client, and combine that with a symbolic link to
1279
point to the directory containing the profile for the Windows version
1280
that particular client is running.</p>
1282
<p>Our additions to <em class="filename">smb.conf</em> that appeared earlier
1283
in this chapter included the two lines:</p>
1285
<blockquote><pre class="code">logon path = \\%L\profiles\%u\%m
1286
logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
1288
<p>The first line specifies where the roaming profiles for Windows
1289
NT/2000/XP clients are kept, and the second line performs the same
1290
function for Windows 95/98/Me clients. In both cases, the location is
1291
specified as a UNC, but
1292
<tt class="literal">logon</tt><a name="INDEX-127"/> <tt class="literal">path</tt> (for Windows
1293
NT/2000/XP) is specified relative to the
1294
<tt class="literal">[profiles]</tt> share, while
1295
<tt class="literal">logon</tt><a name="INDEX-128"/> <tt class="literal">home</tt> (for Windows
1296
95/98/Me) is specified relative to the user's home
1297
directory. This is done to comply with Samba's
1298
emulation of Windows NT/2000 PDC behavior.</p>
1300
<p>The <tt class="literal">logon</tt> <tt class="literal">home</tt> UNC must begin
1301
by specifying the user's home directory, which in
1302
our previous example would be <tt class="literal">\\%L\%u</tt>. The
1303
variable <tt class="literal">%L</tt><a name="INDEX-129"/> expands to the NetBIOS name of the
1304
server (in this case, toltec), and
1305
<tt class="literal">%u</tt><a name="INDEX-130"/> expands to the name of the user. This
1306
must be done to allow the command:</p>
1308
<a name="INDEX-131"/><blockquote><pre class="code">C:\><tt class="userinput"><b>net use h: /home</b></tt></pre></blockquote>
1310
<p>to function correctly to connect the user's home
1311
directory to drive letter H: on all Windows clients. (The drive
1312
letter used for this purpose is defined by <tt class="literal">logon</tt>
1313
<tt class="literal">drive</tt>.) We add the directory
1314
<em class="filename">.win_profile</em><a name="INDEX-132"/> to the UNC to put the Windows
1315
95/98/Me roaming profile in a subdirectory of the
1316
user's home directory.</p>
1317
<a name="samba2-CHP-4-NOTE-116"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
1318
<p>Note that in both <tt class="literal">logon path</tt> and <tt class="literal">logon
1319
home</tt>, we absolutely avoid making the profile directory the
1320
same as the user's home directory, and the directory
1321
that contains the profile is not used for any other purpose. This is
1322
because when the roaming profile is updated, all directories and
1323
files in the roaming-profile directory that are not part of the
1324
roaming profile are deleted.</p>
1327
<p>In the <tt class="literal">logon</tt> <tt class="literal">path</tt> line in
1328
<em class="filename">smb.conf</em>, we use <tt class="literal">%u</tt> to put
1329
the profiles directory in a subdirectory in the
1330
<tt class="literal">[profiles]</tt> share, such that each user gets her own
1331
directory that holds her roaming profiles.</p>
1333
<p>We define the <tt class="literal">[profiles]</tt> share like this:</p>
1335
<blockquote><pre class="code">[profiles]
1338
directory mask = 0700
1340
path = /home/samba-ntprof</pre></blockquote>
1342
<p>The first four parameters in the previous share definition specify to
1343
allow roaming profiles to be written with the users'
1344
permissions, to create files with read and write permissions for the
1345
owner, and to create directories with read, write, and search
1346
permissions for the owner and no access allowed for other users. As
1347
with the <tt class="literal">[netlogon]</tt> share, we set
1348
<tt class="literal">browsable</tt> <tt class="literal">=</tt>
1349
<tt class="literal">no</tt> so that the share will not show up on the
1350
clients in Windows Explorer.</p>
1352
<p>We've decided to put our Windows NT/2000/XP profiles
1353
in <em class="filename">/home</em>, the default location of the home
1354
directories on Linux. This will make it simple to include the roaming
1355
profiles in backups of the home directories. You can use another
1356
directory if you like.</p>
1358
<p>Notice that in both <tt class="literal">logon</tt> <tt class="literal">path</tt>
1359
and <tt class="literal">logon</tt> <tt class="literal">home</tt>, the directory
1360
we specify ends in <tt class="literal">%m</tt>, which Samba replaces with
1361
the NetBIOS name of the client. We are using the
1362
client's computer name to identify indirectly which
1363
version of Windows it is running.</p>
1365
<p>Initially, the directories you specify to hold the roaming profiles
1366
will be empty and will become populated as clients log off for the
1367
first time. (Samba will even create the directories if they do not
1368
already exist.) At first, the directories will simply contain
1369
profiles that are identical to the clients' local
1370
profiles, and we highly recommend that you make a backup at this
1371
point before things get complicated. A listing of the roaming profile
1372
directory for user <tt class="literal">iman</tt>, after she has logged off
1373
from Windows 98 clients <tt class="literal">mixtec</tt> and
1374
<tt class="literal">pueblo</tt> and Windows Me clients
1375
<tt class="literal">huastec</tt> and <tt class="literal">navajo</tt>, might look
1376
something like the following:</p>
1378
<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
1380
drwx------ 6 iman iman 4096 Dec 8 18:09 huastec
1381
drwx------ 9 iman iman 4096 Dec 7 03:47 mixtec
1382
drwx------ 11 iman iman 4096 Dec 7 03:05 navajo
1383
drwx------ 11 iman iman 4096 Dec 7 03:05 pueblo</pre></blockquote>
1385
<p>If things were left like this, the clients would not share their
1386
roaming profiles, so next we change from using separate directories
1387
to having symbolic links point to common directories:</p>
1389
<blockquote><pre class="code"># <tt class="userinput"><b>mv mixtec Win98</b></tt>
1390
# <tt class="userinput"><b>mv navajo WinMe</b></tt>
1391
# <tt class="userinput"><b>rm huastec pueblo</b></tt>
1392
# <tt class="userinput"><b>ln -s Win98 pueblo</b></tt>
1393
# <tt class="userinput"><b>ln -s WinMe huastec</b></tt>
1394
# <tt class="userinput"><b>chown iman:iman *</b></tt>
1395
# <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt>
1397
lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 huastec -> WinMe
1398
lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 mixtec -> Win98
1399
lrwxrwxrwx 1 iman iman 5 Nov 21 17:24 navajo -> WinMe
1400
lrwxrwxrwx 1 iman iman 5 Nov 23 01:16 pueblo -> Win98
1401
drwx------ 9 iman iman 4096 Dec 7 03:47 Win98
1402
drwx------ 11 iman iman 4096 Dec 7 03:05 WinMe</pre></blockquote>
1404
<p>Now when <tt class="literal">iman</tt> logs on to the domain from either
1405
Windows 98 system, the client from which she is logging on will get
1406
the profile stored in the <em class="filename">Win98</em> directory (that
1407
started out as her local profile on <tt class="literal">mixtec</tt>). This
1408
works likewise for the Windows Me clients.</p>
1410
<p>To show a more complete example, here is a listing of a fully
1411
operational Windows 95/98/Me profiles directory:</p>
1413
<a name="INDEX-133"/><blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/jay/.win_profile</b></tt>
1415
lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 aztec -> /home/jay
1416
lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 hopi -> Win95
1417
lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 huastec -> WinMe
1418
lrwxrwxrwx 1 jay jay 5 Nov 16 01:38 maya -> Win98
1419
lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 mixtec -> Win98
1420
lrwxrwxrwx 1 jay jay 5 Nov 21 17:24 navajo -> WinMe
1421
lrwxrwxrwx 1 jay jay 5 Nov 23 01:16 pueblo -> Win98
1422
lrwxrwxrwx 1 jay jay 5 Nov 22 02:06 ute -> Win95
1423
drwx------ 6 jay jay 4096 Dec 8 18:09 Win95
1424
drwx------ 9 jay jay 4096 Dec 7 03:47 Win98
1425
drwx------ 11 jay jay 4096 Dec 7 03:05 WinMe
1426
lrwxrwxrwx 1 jay jay 5 Nov 21 22:48 yaqui -> Win98
1427
lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 zuni -> /home/jay</pre></blockquote>
1429
<p>Again, the computer name of each client exists in this directory as a
1430
symbolic link that points to the directory containing the actual
1431
roaming profile. For example, <tt class="literal">maya</tt>, a client that
1432
runs Windows 98, has a symbolic link named <em class="filename">maya</em>
1433
to the <em class="filename">Win98</em> directory. A listing of
1434
<em class="filename">Win98</em> shows:</p>
1436
<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l Win98</b></tt>
1438
drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Application Data
1439
drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 Cookies
1440
drwxr-xr-x 3 jay jay 4096 Dec 7 03:47 Desktop
1441
drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 History
1442
drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 NetHood
1443
drwxr-xr-x 2 jay jay 4096 Dec 7 03:47 Recent
1444
drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Start Menu
1445
-rw-r--r-- 1 jay jay 114720 Dec 7 03:46 USER.DAT</pre></blockquote>
1447
<p>The contents of the <em class="filename">Win95</em> and
1448
<em class="filename">WinMe</em> directories appear similar and contain
1449
roaming profiles that work exactly as they should on their respective
1450
operating systems.</p>
1452
<p>Notice in the previous listing that <em class="filename">aztec</em> and
1453
<em class="filename">zuni</em> are symbolic links to
1454
<em class="filename">/home/jay</em>. We've cautioned you
1455
never to configure a roaming profile directory to be a
1456
user's home directory, but this is to handle
1457
something different. The clients <tt class="literal">aztec</tt> and
1458
<tt class="literal">zuni</tt> are Windows XP systems, which handle
1459
<tt class="literal">logon</tt> <tt class="literal">home</tt> differently than
1460
other versions of Windows. We have set <tt class="literal">logon</tt>
1461
<tt class="literal">home</tt> <tt class="literal">=</tt>
1462
<tt class="literal">\\%L\%u\</tt>.<tt class="literal">win</tt>
1463
<tt class="literal">profile</tt>, and all versions of Windows except for
1464
Windows XP strip off everything after <tt class="literal">\\%L\%u</tt> and
1465
correctly locate the home directory—in this case,
1466
<em class="filename">/home/jay</em>. Windows XP uses the full UNC, so we
1467
simply add a symbolic link to redirect it to the correct directory to
1468
get the <em class="emphasis">net use H: /home</em> command to work as it
1469
should. The roaming profiles for Windows XP systems are not affected
1470
by this and are kept with the other roaming profiles in the Windows
1471
NT/2000/XP family, as shown in this listing:</p>
1473
<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/samba-ntprof/jay</b></tt>
1475
lrwxrwxrwx 1 jay jay 5 Nov 20 03:45 apache -> Win2K
1476
lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 aztec -> WinXP
1477
lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 dine -> WinNT
1478
lrwxrwxrwx 1 jay jay 5 Nov 24 03:44 inca -> Win2K
1479
lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 pima -> Win2K
1480
drwx------ 13 jay jay 4096 Dec 3 15:24 qero
1481
drwx------ 13 jay jay 4096 Dec 1 20:31 Win2K
1482
drwx------ 12 jay jay 4096 Nov 30 17:04 WinNT
1483
drwx------ 13 jay jay 4096 Nov 20 01:23 WinXP
1484
lrwxrwxrwx 1 jay jay 5 Nov 20 06:09 yavapai -> WinXP
1485
lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 zapotec -> Win2K
1486
lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 zuni -> WinXP</pre></blockquote>
1488
<p>As you can see, we are using a similar method for the Windows
1489
NT/2000/XP roaming profiles. In the listing,
1490
<em class="filename">qero</em> is not a symbolic link, but rather a
1491
directory that holds the roaming profile for <tt class="literal">qero</tt>,
1492
a Windows 2000 client that has recently been added. We had not
1493
created a symbolic link called <em class="filename">qero</em> before
1494
installing Windows 2000, so when jay logged off for the first time,
1495
Samba created a directory named <em class="filename">qero</em> and copied
1496
the roaming profile received from the client to the new directory.
1497
Because this is a separate directory from <em class="filename">Win2K</em>,
1498
which all other Windows 2000 clients are using to share their roaming
1499
profiles, the roaming profile for <tt class="literal">qero</tt> works like
1500
a local profile, except that it is stored on the primary domain
1503
<p>This might seem like an odd thing to do, but it has some purpose.
1504
Sometimes you might wish to isolate a client in this manner,
1505
especially while the operating system is being installed and
1506
initially configured. Remember, if that client, with its default
1507
local profile, is logged off the domain, the local profile will be
1508
written to the roaming profile directory. If the client were using
1509
the shared roaming profile directory, the effect could be
1510
undesirable, to say the least. Using our method, the
1511
<em class="filename">qero</em> directory can later be renamed to make it
1512
into an archival backup, or it can just be deleted. Then a new
1513
symlink named <em class="filename">qero</em> can be created to point to
1514
the <em class="filename">Win2K</em> directory, and <tt class="literal">qero</tt>
1515
will share the roaming profile in <em class="filename">Win2K</em> with the
1516
other Windows 2000 clients.</p>
1518
<p>An alternative method is simply to create the
1519
<a name="INDEX-134"/>symbolic
1520
links before the clients are added to the network. After you become
1521
more comfortable with the way roaming profiles work, you might find
1522
this method to be simpler and quicker.</p>
1524
<p>Again, we urge you to be careful about letting different versions of
1525
Windows share the same roaming profile. The method of configuring
1526
roaming profiles we've shown you here allows you to
1527
test a configuration for a few clients at a time without affecting
1528
your whole network of clients. For example, we could install a small
1529
number of Windows 2000 and Windows XP systems in the domain for
1530
testing purposes and then create symlinks for them that point to a
1531
directory called <em class="filename">Win2KXP</em> to find out if sharing
1532
roaming profiles between our Windows 2000 and Windows XP systems
1533
meets our expectations. The <em class="filename">Win2KXP</em> directory
1534
could be created as an empty directory, in which case it would have a
1535
roaming profile written to it by the first of the clients to log off.
1536
Or, <em class="filename">Win2KXP</em> could simply be a renamed roaming
1537
profile directory that was created by one of the clients when it was
1538
added to the domain. <a name="INDEX-135"/><a name="INDEX-136"/></p>
1544
<div class="sect2"><a name="samba2-CHP-4-SECT-5.3"/>
1546
<h3 class="head2">Configuring Windows 95/98/Me for Roaming Profiles</h3>
1548
<p><a name="INDEX-137"/><a name="INDEX-138"/>For roaming profiles to work on
1549
Windows 95/98/Me clients, all you need to do is change one setting to
1550
allow each user to have a separate local profile. This has the side
1551
effect of enabling roaming profiles as well.</p>
1553
<p>Open the Control Panel and double-click the Passwords icon to open
1554
the Passwords Properties dialog box. Click the User Profiles tab, and
1555
the dialog box will appear as shown in <a href="ch04.html#samba2-CHP-4-FIG-12">Figure 4-12</a>.</p>
1557
<div class="figure"><a name="samba2-CHP-4-FIG-12"/><img src="figs/sam2_0412.gif"/></div><h4 class="head4">Figure 4-12. The Windows 98 Passwords Properties dialog</h4>
1559
<p>Click the button labeled "Users can customize their
1560
preferences and desktop settings." In the User
1561
profile settings box, you can check the options you prefer. When
1562
done, click the OK button and reboot as requested. During this first
1563
reboot, Windows will copy the local profile data to
1564
<em class="filename">C:\windows\profiles</em> but will not attempt to copy
1565
the roaming profile from the server. The next time the system is shut
1566
down, the local profile will be copied to the server, and when
1567
Windows reboots, it will copy the roaming profile from the server.</p>
1573
<div class="sect2"><a name="samba2-CHP-4-SECT-5.4"/>
1575
<h3 class="head2">Configuring Windows NT/2000/XP for Roaming Profiles</h3>
1577
<p><a name="INDEX-139"/><a name="INDEX-140"/><a name="INDEX-141"/><a name="INDEX-142"/>Roaming profiles are enabled by
1578
default on Windows NT/2000/XP. In case you would like to check or
1579
modify your settings, follow these directions.</p>
1581
<p>Make sure you are logged in to the local system as Administrator or
1582
another user in the Administrators group. Open the Control Panel and
1583
double-click the System icon. On Windows NT/2000, click the User
1584
Profiles tab, or on Windows XP, click the Advanced tab and then the
1585
Settings button in the User Profiles box. You should see the dialog
1586
box in <a href="ch04.html#samba2-CHP-4-FIG-13">Figure 4-13</a>.</p>
1588
<div class="figure"><a name="samba2-CHP-4-FIG-13"/><img src="figs/sam2_0413.gif"/></div><h4 class="head4">Figure 4-13. The Windows 2000 System Properties, User Profiles tab</h4>
1590
<p>Notice in the figure that there are two entries for the username
1591
<tt class="literal">jay</tt>. The entry ZAPOTEC\jay refers to the account
1592
on the local system, and METRAN\jay refers to the domain account.
1593
Recall that when a user logs on, a drop-down menu in the dialog box
1594
allows him to log on to a domain or log in to the local system. When
1595
<tt class="literal">jay</tt> logs in to the local machine, only the local
1596
profile is used. When logged on to the domain, the configuration
1597
shown will use the roaming profile. To switch a
1598
user's profile type for a domain logon account,
1599
click the account name to select it, then click the Change Type...
1600
button near the bottom of the dialog box. The Change Profile Type
1601
dialog box will appear. Click the radio button for either roaming or
1602
local profile, and then click the OK buttons for each dialog box.</p>
1608
<div class="sect2"><a name="samba2-CHP-4-SECT-5.5"/>
1610
<h3 class="head2">Mandatory Profiles</h3>
1612
<p><a name="INDEX-143"/>With a simple
1613
modification, a <a name="INDEX-144"/>roaming profile can be made into a
1614
<a name="INDEX-145"/>mandatory
1615
profile, which has the quality of being unmodifiable by its owner.
1616
Mandatory profiles are used in some computing environments to
1617
simplify administration. The theory is that if users cannot modify
1618
their profiles, less can go wrong, and it is also possible to use the
1619
same standardized profile for all users.</p>
1621
<p>In practice, some issues come up. Because the users can still modify
1622
the configuration settings in their local profile during their logon
1623
session, confusion can result the next time they log on to the domain
1624
and discover their changes have been
1625
"lost." If the user of a client
1626
reinstalls an application in a different place, the shortcuts to the
1627
program on the desktop, in the Start menu, or in a Quick Launch bar
1628
cannot be permanently deleted. They will reappear every time the user
1629
logs back on to the domain. Essentially, a mandatory profile is a
1630
roaming profile that always fails to update to the server upon
1633
<p>Another complication is that different versions of Windows behave
1634
differently with mandatory profiles. If a user who has a mandatory
1635
profile creates a new file on her desktop, the file might be missing
1636
the next time the user logs off and on again or reboots. Some Windows
1637
versions preserve desktop files in the local profile (even if the
1638
file does not exist in the mandatory profile), whereas others do not.</p>
1640
<p>To change a <a name="INDEX-146"/><a name="INDEX-147"/>roaming profile to a mandatory
1641
profile, all you have to do is rename the
1642
<em class="filename">.dat</em><a name="INDEX-148"/><a name="INDEX-149"/> file in the roaming profile directory
1643
on the server to have a <em class="filename">.man</em> extension instead.
1644
For a Windows 95/98/Me roaming profile, you would rename
1645
<em class="filename">USER.DAT</em> to <em class="filename">USER.MAN</em>, and
1646
for a Windows NT/2000/XP roaming profile, you would rename
1647
<em class="filename">NTUSER.DAT</em> to <em class="filename">NTUSER.MAN</em>.
1648
Also, you might want to make the roaming-profile directory and its
1649
contents read-only, to make sure that a user can't
1650
change it by logging into his Unix user account on the Samba host
1653
<p>If you want to have all your users share a mandatory profile, you can
1654
change the definitions of <tt class="literal">logon</tt>
1655
<tt class="literal">path</tt> and <tt class="literal">logon</tt>
1656
<tt class="literal">home</tt> in your <em class="filename">smb.conf</em> file to
1657
point to a shared mandatory profile on the server and adjust your
1658
directory structure and symbolic links accordingly. For example,
1659
<tt class="literal">logon</tt> <tt class="literal">path</tt> and
1660
<tt class="literal">logon</tt> <tt class="literal">home</tt> might be defined
1663
<blockquote><pre class="code">logon path = \\%L\profiles\%m
1664
logon home = \\%L\%u\.win_profile\%m</pre></blockquote>
1666
<p>Notice that we've removed the <tt class="literal">%u</tt>
1667
part of the path for <tt class="literal">logon</tt>
1668
<tt class="literal">path</tt>, and we would also change the directory
1669
structure on the server to do away with the separation of the
1670
profiles by username and have just one profile for each Windows
1671
NT/2000/XP version.</p>
1673
<p>We cannot use the same treatment for <tt class="literal">logon</tt>
1674
<tt class="literal">home</tt> because it is also used to specify the home
1675
directory. In this case, we would change the symbolic links in each
1676
user's <em class="filename">.win_profile</em> directory
1677
to point to a common mandatory profile directory containing the
1678
mandatory profiles for each of Windows 95/98/Me. Again, check the
1679
ownership and permissions on the files in the directory, and modify
1680
them if necessary to make sure a user can't modify
1681
any files by logging into her Unix account on the Samba host system.</p>
1687
<div class="sect2"><a name="samba2-CHP-4-SECT-5.6"/>
1689
<h3 class="head2">Logon Script and Roaming-Profile Options</h3>
1691
<p><a href="ch04.html#samba2-CHP-4-TABLE-1">Table 4-1</a> summarizes the options commonly used in
1692
association with Windows NT domain <a name="INDEX-150"/><a name="INDEX-151"/>logon
1693
scripts and roaming profiles.</p>
1695
<a name="samba2-CHP-4-TABLE-1"/><h4 class="head4">Table 4-1. Logon-script options</h4><table border="1">
1723
<p><tt class="literal">logon</tt> <tt class="literal">script</tt></p>
1726
<p>string (MS-DOS path)</p>
1729
<p>Name of logon script batch file</p>
1740
<p><tt class="literal">logon</tt> <tt class="literal">path</tt></p>
1743
<p>string (UNC server and share name)</p>
1746
<p>Location of roaming profile</p>
1749
<p><tt class="literal">\\%N\%U\profile</tt></p>
1757
<p><tt class="literal">logon</tt> <tt class="literal">drive</tt></p>
1760
<p>string (drive letter)</p>
1763
<p>Specifies the logon drive for a home directory</p>
1766
<p><tt class="literal">Z</tt>:</p>
1774
<p><tt class="literal">logon</tt> <tt class="literal">home</tt></p>
1777
<p>string (UNC server and share name)</p>
1780
<p>Specifies a location for home directories for clients logging on to
1784
<p><tt class="literal">\\%N\%U</tt></p>
1794
<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.1"/>
1796
<a name="INDEX-152"/><h3 class="head3">logon script</h3>
1798
<p>This option specifies a Windows batch file that will be executed on
1799
the client after a user has logged on to the domain. Each logon
1800
script should be stored in the root directory of the
1801
<tt class="literal">[netlogon]</tt> share or a subdirectory. This option
1802
frequently uses the <tt class="literal">%U</tt> or <tt class="literal">%m</tt>
1803
variables (user or NetBIOS name) to point to an individual script.
1806
<blockquote><pre class="code">[global]
1807
logon script = %U.bat</pre></blockquote>
1809
<p>will execute a script based on the username. If the user who is
1810
connecting is <tt class="literal">fred</tt> and the path of the
1811
<tt class="literal">[netlogon]</tt> share maps to the directory
1812
<em class="filename">/export/samba/netlogon</em>, the script should be
1813
<em class="filename">/export/samba/netlogon/fred.bat</em>. Because these
1814
scripts are downloaded to the client and executed on the Windows
1815
side, they must have MS-DOS-style newline characters rather than Unix
1823
<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.2"/>
1825
<a name="INDEX-153"/><h3 class="head3">logon path</h3>
1827
<p>This option specifies the location where roaming profiles are kept.
1828
When the user logs on, a roaming profile will be downloaded from the
1829
server to the client and used as the local profile during the logon
1830
session. When the user logs off, the contents of the local profile
1831
will be uploaded back to the server until the next time the user
1834
<p>It is often more secure to create a separate share exclusively for
1835
storing user profiles:</p>
1837
<blockquote><pre class="code">[global]
1838
logon path = \\hydra\profile\%U</pre></blockquote>
1840
<p>For more information on this option, see <a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a> earlier in this chapter.</p>
1847
<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.3"/>
1849
<a name="INDEX-154"/><h3 class="head3">logon drive</h3>
1851
<p>This option specifies the drive letter on a Windows NT/2000/XP client
1852
to which the home directory specified with the
1853
<tt class="literal">logon</tt> <tt class="literal">home</tt> option will be
1854
mapped. Note that this option will work with Windows NT/2000/XP
1855
clients only. For example:</p>
1857
<blockquote><pre class="code">[global]
1858
logon drive = I:</pre></blockquote>
1860
<p>You should always use drive letters that will not conflict with fixed
1861
drives on the client machine. The default is Z:, which is a good
1862
choice because it is as far away from A:, C:, and D: as possible.</p>
1869
<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.4"/>
1871
<a name="INDEX-155"/><h3 class="head3">logon home</h3>
1873
<p>This option specifies the location of a user's home
1874
directory for use by the MS-DOS <em class="emphasis">net</em> commands.
1875
For example, to specify a home directory as a share on a Samba
1876
server, use the following:</p>
1878
<blockquote><pre class="code">[global]
1879
logon home = \\hydra\%U</pre></blockquote>
1881
<p>Note that this works nicely with the <tt class="literal">[homes]</tt>
1882
service, although you can specify any directory you wish. Home
1883
directories can be mapped with a logon script using the following
1886
<a name="INDEX-156"/><blockquote><pre class="code">C:\><tt class="userinput"><b>net use i: /home </b></tt></pre></blockquote>
1899
<div class="sect1"><a name="samba2-CHP-4-SECT-6"/>
1901
<h2 class="head1">System Policies</h2>
1903
<p>A <a name="INDEX-157"/>system policy can be used in a Windows
1904
NT domain as a remote administration tool for implementing a similar
1905
computing environment on all clients and limiting the abilities of
1906
users to change configuration settings on their systems or allowing
1907
them to run only a limited set of programs. One application of system
1908
policies is to use them along with mandatory profiles to implement a
1909
collection of computers for public use, such as in a library, school,
1910
or Internet cafe.</p>
1912
<p>A system policy is a collection of registry settings that is stored
1913
in a file on the PDC and is automatically downloaded to the clients
1914
when users log on to the domain. The file containing the settings is
1915
created on a Windows system using the <a name="INDEX-158"/>System Policy Editor. Because the format
1916
of the registry is different between Windows 95/98/Me and Windows
1917
NT/2000/XP, it is necessary to make sure that the file that is
1918
created is in the proper format. This is a very simple matter because
1919
when the System Policy Editor runs on Windows 95/98/Me, it will
1920
create a file in the format for Windows 95/98/Me, and if it is run on
1921
Windows NT/2000/XP, it will use the format needed by those versions.
1922
After the policy file is created with the System Policy Editor, it is
1923
stored on the primary domain controller and is automatically
1924
downloaded by the clients during the logon process, and the policies
1925
are applied to the client system.</p>
1927
<p>On Windows NT 4.0 Server, you can run the System Policy Editor by
1928
logging in to the system as Administrator or another user in the
1929
Administrators group, opening the Start menu, and selecting Programs,
1930
then Administrative Tools, then System Policy Editor. On Windows 2000
1931
Advanced Server, open the Start menu and click Run . . . . In the
1932
dialog box that comes up, type in
1933
<tt class="literal">C:\winnt\poledit.exe</tt>, and click the OK button.</p>
1935
<p>If you are using a Windows version other than NT Server or Windows
1936
2000 Advanced Server, you must install the System Policy Editor, and
1937
getting a copy of it can be a little tricky. If you are running
1938
Windows NT 4.0 Workstation or Windows 2000 Professional and have a
1939
Windows NT 4.0 Server installation CD-ROM, you can run the file
1940
<em class="filename">\Clients\Svrtools\Winnt\Setup.bat</em> from that CD
1941
to install the Client-based Network Administration Tools, which
1942
includes <em class="emphasis">poledit.exe</em>. Then open the Start menu,
1943
click Run..., type <tt class="literal">C:\winnt\system32\poledit.exe</tt>
1944
into the text area, and click the OK button.</p>
1946
<p>If you are using Windows 95/98, insert a Windows 95 or Windows 98
1947
distribution CD-ROM<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> into your CD-ROM drive,
1948
then open the Control Panel and double-click the Add/Remove Programs
1951
<p>Click the Windows Setup tab, and then click the Have Disk...
1952
button. In the new dialog box that appears, click the Browse...
1953
button, then select the CD-ROM drive from the Drives drop-down menu.
1957
<p>If you are using a Windows 95 installation CD-ROM, double-click the
1958
admin, then apptools, then poledit folder icons.</p>
1960
<p>If you are using a Windows 98 installation CD-ROM, double-click the
1961
tools, then reskit, then netadmin, then poledit folder icons.</p>
1963
<p>You should see "<a name="INDEX-159"/>grouppol.inf" appear in
1964
the File name: text area on the left of the dialog box. Click the OK
1965
buttons in two dialog boxes, and you will be presented with a dialog
1966
box in which you should select both the Group Policies and System
1967
Policy Editor checkboxes. Then click the Install button. Close the
1968
remaining dialog box, and you can now run the System Policy Editor by
1969
opening the Start menu and selecting Programs, then Accessories, then
1970
System Tools, then System Policy Editor. Or click the Run... item in
1971
the Start Menu, and enter <tt class="literal">C:\Windows\Poledit</tt>.</p>
1973
<p>When the System Policy Editor starts up, select New Policy from the
1974
File menu, and you will see a window similar to that in <a href="ch04.html#samba2-CHP-4-FIG-14">Figure 4-14</a>.</p>
1976
<div class="figure"><a name="samba2-CHP-4-FIG-14"/><img src="figs/sam2_0414.gif"/></div><h4 class="head4">Figure 4-14. The System Policy Editor window</h4>
1978
<p>The next step is to make a selection from the File menu to add
1979
policies for users, groups, and computers. For each item you add, you
1980
will be asked for the username, or name of the group or computer, and
1981
a new icon will appear in the window. Double-clicking one of the
1982
icons will bring up the Properties dialog box, such as the one shown
1983
in <a href="ch04.html#samba2-CHP-4-FIG-15">Figure 4-15</a>.</p>
1985
<div class="figure"><a name="samba2-CHP-4-FIG-15"/><img src="figs/sam2_0415.gif"/></div><h4 class="head4">Figure 4-15. The Properties dialog of System Policy Editor</h4>
1987
<p>The upper window in the dialog shows the registry settings that can
1988
be modified as part of the system policy, and the lower window shows
1989
descriptive information or more settings pertaining to the one
1990
selected in the upper window. Notice in the figure that there are
1991
three checkboxes and that they are all in different states:</p>
1994
<dt><b>Checked</b></dt>
1996
<p>Meaning that the registry setting is enabled in the policy</p>
2001
<dt><b>White (unchecked)</b></dt>
2003
<p>Which clears the registry setting</p>
2008
<dt><b>Gray</b></dt>
2010
<p>Which causes the registry setting on the client to be unmodified</p>
2015
<p>Basically, if all the items are left gray (the default), the system
2016
policy will have no effect. The registry of the logged-on client will
2017
not be modified. However, if any of the items are either checked or
2018
unchecked (white), the registry on the client will be modified to
2019
enable the setting or clear it.</p>
2020
<a name="samba2-CHP-4-NOTE-117"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
2021
<p>In this section, we are giving you enough information on using the
2022
System Policy Editor to get you started—or, should we say,
2023
enough rope with which to hang yourself. Remember that a system
2024
policy, once put into action, will be modifying the registries of all
2025
clients who log on to the domain. The usual warnings about editing a
2026
Windows registry apply here with even greater importance. Consider
2027
how difficult (or even impossible) it will be for you to restore the
2028
registries on all those clients if anything happens to go wrong.
2029
<em class="emphasis">As with roaming profiles, casual or careless implementation
2030
of system policies can easily lead to domain-wide
2033
<p>Creating a good system policy file is a complex topic, which we
2034
cannot cover in detail here. It would take a whole book, and yes,
2035
there happens to be an O'Reilly book on the subject,
2036
<em class="citetitle">Windows System Policy Editor</em>. Another
2037
definitive source of documentation on Windows NT system policies and
2038
the System Policy Editor is the Microsoft white paper
2039
<em class="citetitle">Implementing Policies and Profiles for Windows NT
2040
4.0</em>, which can be found at <a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p>
2043
<p>Once you have created a policy, click the OK button and use the Save
2044
As... item from the File menu to save it. Use the filename
2045
<em class="filename">config.pol</em><a name="INDEX-160"/> for a Windows 95/98 system policy and
2046
<em class="filename">ntconfig.pol</em><a name="INDEX-161"/> for a policy that will be used on Windows
2047
NT/2000/XP clients. Finally, copy the <em class="filename">.pol</em> file
2048
to the directory used for the <tt class="literal">[netlogon]</tt> share on
2049
the Samba PDC. The <em class="filename">config.pol</em> and
2050
<em class="filename">ntconfig.pol</em> files must go in this
2051
directory—unlike roaming profiles and logon scripts, there is
2052
no way to specify the location of the system policy files in
2053
<em class="filename">smb.conf</em>. If you want to have different system
2054
policies for different users or computers, you must perform that part
2055
of the configuration within the System Policy Editor.</p>
2057
<a name="samba2-CHP-4-NOTE-118"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
2058
<p>If you have, or will have, any <a name="INDEX-162"/><a name="INDEX-163"/>Windows Me clients on your network,
2059
be careful. Microsoft has stated that Windows Me does not support
2060
system policies. The odd thing about this is that it will download
2061
the policy from a <em class="filename">config.pol</em> file on the PDC,
2062
but there is no guarantee that the results will be what was intended.
2063
Check the effect of your system policy carefully on your Windows Me
2064
clients to make sure it is working how you want.</p>
2067
<p>When a user logs on to the domain, her Windows client will download
2068
the <em class="filename">.pol</em> file from the server, and the settings
2069
in it (that is, the items either checked or cleared in the System
2070
Policy Editor) will override the client's settings.</p>
2072
<p>If things "should work" but
2073
don't, try shutting down the Windows client and
2074
restarting, rather than just logging off and on again. Windows
2075
sometimes will hold the <tt class="literal">[netlogon]</tt> share open
2076
across logon sessions, and this can prevent the client from getting
2077
the updated <em class="filename">.pol</em> file from the server.
2078
<a name="INDEX-164"/>
2079
<a name="INDEX-165"/></p>
2086
<div class="sect1"><a name="samba2-CHP-4-SECT-7"/>
2088
<h2 class="head1">Samba as a Domain Member Server</h2>
2090
<p><a name="INDEX-166"/>Up to now,
2091
we've focused on configuring and using Samba as the
2092
primary domain controller. If you already have a domain controller on
2093
your network, either a Windows NT/2000 Server system or a Samba PDC,
2094
you can add a Samba server to the domain as a domain member server.
2095
This involves setting up the Samba server to have a computer account
2096
with the primary domain controller, in a similar way that Windows
2097
NT/2000/XP clients can have computer accounts on a Samba PDC. When a
2098
client accesses shares on the Samba domain member server, Samba will
2099
pass off the authentication to the domain controller rather than
2100
performing the task on the local system. If the PDC is a Windows
2101
server, any number of Windows BDCs might exist that can handle the
2102
authentication instead of the PDC.</p>
2104
<p>The first step is to add the Samba server to the domain by creating a
2105
computer account for it on the primary domain controller. You can do
2106
this using the <em class="emphasis">smbpasswd</em> command, as follows:</p>
2108
<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j <em class="replaceable">DOMAIN</em> -r <em class="replaceable">PDCNAME</em> -U<em class="replaceable">admin_acct</em>%<em class="replaceable">password</em></b></tt></pre></blockquote>
2110
<p>In this command, <em class="replaceable">DOMAIN</em> is replaced by the
2111
name of the domain the Samba host is joining,
2112
<em class="replaceable">PDCNAME</em> is replaced by the computer name
2113
of the primary domain controller,
2114
<em class="replaceable">admin_acct</em> is replaced by the username of
2115
an administrative account on the domain controller (either
2116
Administrator—or another user in the Administrators
2117
group—on Windows NT/2000, and root on Samba), and
2118
<em class="replaceable">password</em> is replaced with the password of
2119
that user. To give a more concrete example, on our domain that has a
2120
Windows NT 4 Server primary domain controller or a Windows 2000
2121
Active Directory domain controller named <tt class="literal">SINAGUA</tt>,
2122
the command would be:</p>
2124
<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r SINAGUA -UAdministrator%hup8ter</b></tt></pre></blockquote>
2126
<p>and if the PDC is a Samba system, we would use the command:</p>
2128
<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r toltec -Uroot%jwun83jb</b></tt></pre></blockquote>
2130
<p>where <tt class="literal">jwun83jb</tt> is the password for the root user
2131
that is contained in the<em class="filename"> smbpasswd</em> file, as we
2132
explained earlier in this chapter.</p>
2134
<p>If you did it right, <em class="emphasis">smbpasswd</em> will respond with
2135
a message saying the domain has been joined. The security
2136
identifier<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> returned to Samba from the PDC is kept in
2137
the file <em class="filename">/usr/local/samba/private/secrets.tdb</em>.
2139
<em class="filename">secrets.tdb</em><a name="INDEX-167"/> is security-sensitive, so make sure to
2140
protect <em class="filename">secrets.tdb</em> in the same way you would
2141
treat Samba's password file.</p>
2143
<p>The next step is to modify the
2144
<em class="filename">smb.conf</em><a name="INDEX-168"/> file. Assuming you are starting with a
2145
valid <em class="filename">smb.conf</em> file that correctly configures
2146
Samba to function in a workgroup, such as the one we used in <a href="ch02.html">Chapter 2</a>, it is simply a matter of adding the following
2147
three lines to the <tt class="literal">[global]</tt> section:</p>
2149
<blockquote><pre class="code">workgroup = METRAN
2151
password server = *</pre></blockquote>
2153
<p>The first line establishes the name of the domain (even though it
2154
says "workgroup"). Instead of
2155
METRAN, use the name of the domain you are joining. Setting security
2156
to "domain" causes Samba to hand
2157
off authentication to a domain controller, and the
2158
<tt class="literal">password</tt> <tt class="literal">server</tt>
2159
<tt class="literal">=</tt> <tt class="literal">*</tt> line tells Samba to find
2160
the domain controller for authentication (which could be the primary
2161
domain controller or a backup domain controller) by querying the WINS
2162
server or using broadcast packets if a WINS server is not available.</p>
2164
<p>At this point, it would be prudent to run
2165
<em class="emphasis">testparm</em> to check that your
2166
<em class="filename">smb.conf</em> is free of errors. Then restart the
2169
<p>If the PDC is a Windows NT system, you can use Server Manager to
2170
check that the Samba server has been added successfully. Open the
2171
Start menu, then select Programs, then Administrative Tools (Common),
2172
and then Server Manager. Server Manager starts up with a window that
2173
looks like <a href="ch04.html#samba2-CHP-4-FIG-16">Figure 4-16</a>.</p>
2175
<div class="figure"><a name="samba2-CHP-4-FIG-16"/><img src="figs/sam2_0416.gif"/></div><h4 class="head4">Figure 4-16. The Windows NT Server Manager window</h4>
2177
<p>As you can see, we've added both
2178
<tt class="literal">toltec</tt> and <tt class="literal">mixtec</tt> to a domain
2179
for which the Windows NT 4.0 Server system,
2180
<tt class="literal">sinagua</tt>, is the primary domain controller.</p>
2182
<p>You can check your setup on Windows 2000 Advanced Server by opening
2183
the Start menu and selecting Programs, then Administrative Tools,
2184
then Active Directory Users and Computers. The window that opens up
2185
will look like <a href="ch04.html#samba2-CHP-4-FIG-17">Figure 4-17</a>.</p>
2187
<div class="figure"><a name="samba2-CHP-4-FIG-17"/><img src="figs/sam2_0417.gif"/></div><h4 class="head4">Figure 4-17. The Windows 2000 Active Directory Users and Computers window</h4>
2189
<p>Click Computers in the left side of the window with the Tree tab. You
2190
should see your Samba system listed in the right pane of the window.
2191
<a name="INDEX-169"/></p>
2198
<div class="sect1"><a name="samba2-CHP-4-SECT-8"/>
2200
<h2 class="head1">Windows NT Domain Options</h2>
2202
<p><a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a> shows the options that are commonly used
2203
in association with Samba on a Windows NT domain.</p>
2205
<a name="samba2-CHP-4-TABLE-2"/><h4 class="head4">Table 4-2. Windows NT domain options</h4><table border="1">
2233
<p><tt class="literal">domain logons</tt></p>
2239
<p>Indicates whether Windows domain logons are to be used</p>
2242
<p><tt class="literal">No</tt></p>
2250
<p><tt class="literal">domain master</tt></p>
2256
<p>For telling Samba to take the role of domain master browser</p>
2267
<p><tt class="literal">add user script</tt></p>
2270
<p>string (command)</p>
2273
<p>Script to run to add a user or computer account</p>
2284
<p><tt class="literal">delete user</tt> <tt class="literal">script</tt></p>
2287
<p>string (command)</p>
2290
<p>Script to run to delete a user or computer account</p>
2301
<p><tt class="literal">domain admin group</tt></p>
2304
<p>string (list of users)</p>
2307
<p>Users that are in the Domain Admins group</p>
2318
<p><tt class="literal">domain guest group</tt></p>
2321
<p>string (list of users)</p>
2324
<p>Users that are in the Domain Guests group</p>
2335
<p><tt class="literal">password server</tt></p>
2338
<p>string (list of computers)</p>
2341
<p>List of domain controllers used for authentication when Samba is
2342
running as a domain member server</p>
2353
<p><tt class="literal">machine password timeout</tt></p>
2356
<p>numeric (seconds)</p>
2359
<p>Sets the renewal interval for NT domain machine passwords</p>
2362
<p><tt class="literal">604,800</tt> (1 week )</p>
2371
<p>Here are detailed explanations of each <a name="INDEX-170"/>Windows NT domain option listed
2372
in <a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a>.</p>
2375
<div class="sect2"><a name="samba2-CHP-4-SECT-8.1"/>
2377
<a name="INDEX-171"/><h3 class="head2">domain logons</h3>
2379
<p>This option configures Samba to accept domain logons as a primary
2380
domain controller. When a client successfully logs on to the domain,
2381
Samba will return a special token to the client that allows the
2382
client to access domain shares without consulting the PDC again for
2383
authentication. Note that the Samba machine must employ user-level
2384
security (<tt class="literal">security</tt> <tt class="literal">=</tt>
2385
<tt class="literal">user</tt>) and must be the PDC for this option to
2386
function. In addition, Windows machines will expect a
2387
<tt class="literal">[netlogon]</tt> share to exist on the Samba server.</p>
2390
<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.1"/>
2392
<a name="INDEX-172"/><h3 class="head3">domain master</h3>
2394
<p>In a Windows network, a local master browser handles browsing within
2395
a subnet. A Windows domain can be made up of a number of subnets,
2396
each of which has its own local master browser. The primary domain
2397
controller serves the function of domain master browser, collecting
2398
the browse lists from the local master browser of each subnet. Each
2399
local master browser queries the domain master browser and adds the
2400
information about other subnets to their own browse lists. When Samba
2401
is configured as a primary domain controller, it automatically sets
2402
<tt class="literal">domain</tt> <tt class="literal">master</tt>
2403
<tt class="literal">=</tt> <tt class="literal">yes</tt>, making itself the domain
2406
<p>Because Windows NT PDCs always claim the role of domain master
2407
browser, Samba should never be allowed to be domain master if there
2408
is a Windows PDC in the domain.</p>
2415
<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.2"/>
2417
<a name="INDEX-173"/><h3 class="head3">add user script</h3>
2419
<p>There are two ways in which <tt class="literal">add</tt>
2420
<tt class="literal">user</tt> <tt class="literal">script</tt> can be used. When
2421
the Samba server is set up as a primary domain controller, it can be
2422
assigned to a command that will run on the Samba server to add a
2423
Windows NT/2000/XP computer account to Samba's
2424
password database. When the user on the Windows system changes the
2425
computer's settings to join a domain, he is asked
2426
for the username and password of a user who has administrative rights
2427
on the domain controller. Samba authenticates this user and then runs
2428
the <tt class="literal">add</tt> <tt class="literal">user</tt>
2429
<tt class="literal">script</tt> with root permissions.</p>
2431
<p>When Samba is configured as a domain member server, the
2432
<tt class="literal">add</tt> <tt class="literal">user</tt>
2433
<tt class="literal">script</tt> can be assigned to a command to add a user
2434
to the system. This allows Windows clients to add users that can
2435
access shares on the Samba system without requiring an administrator
2436
to create the account manually on the Samba host.</p>
2443
<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.3"/>
2445
<a name="INDEX-174"/><h3 class="head3">delete user script</h3>
2447
<p>There are times when users are automatically deleted from the domain,
2448
and the <tt class="literal">delete</tt> <tt class="literal">user</tt>
2449
<tt class="literal">script</tt> can be assigned to a command that removes a
2450
user from the Samba host as a Windows server would do. However, you
2451
might not want this to happen, because the Unix user might need the
2452
account for reasons other than use with Samba. Therefore, we
2453
recommend that you be very careful about using this option.</p>
2460
<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.4"/>
2462
<a name="INDEX-175"/><h3 class="head3">domain admin group</h3>
2464
<p>In a domain of Windows systems, it is possible for a server to get a
2465
list of the members of the Domain Admins group from a domain
2466
controller. Samba 2.2 does not have the ability to handle this, and
2467
the <tt class="literal">domain</tt> <tt class="literal">admin</tt>
2468
<tt class="literal">group</tt> parameter exists as a manual means of
2469
informing Samba who is in the group. The list should contain root
2470
(necessary for adding computer accounts) and any users on Windows
2471
NT/2000/XP clients in the domain who are in the Domain Admins group.
2472
These users must be recognized by the primary controller in order for
2473
them to perform some administrative duties such as adding users to
2481
<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.5"/>
2483
<a name="INDEX-176"/><h3 class="head3">password server</h3>
2485
<p>In a Windows domain in which the domain controllers are a Windows
2486
primary domain controller, along with any number of Windows backup
2487
domain controllers, clients and domain member servers authenticate
2488
users by querying either the PDC or any of the BDCs. When Samba is
2489
configured as a domain member server, the <tt class="literal">password</tt>
2490
<tt class="literal">server</tt> parameter allows some control over how
2491
Samba finds a domain controller. Earlier versions of Samba could not
2492
use the same method that Windows systems use, and it was necessary to
2493
specify a list of systems to try. When you set
2494
<tt class="literal">password</tt> <tt class="literal">server</tt>
2495
<tt class="literal">=</tt> <tt class="literal">*</tt>, Samba 2.2 is able to find
2496
the domain controller in the same manner that Windows does, which
2497
helps to spread the requests over several backup domain controllers,
2498
minimizing the possibility of them becoming overloaded with
2499
authentication requests. We recommend that you use this method.</p>
2506
<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.6"/>
2508
<a name="INDEX-177"/><h3 class="head3">machine password timeout</h3>
2510
<p>The <tt class="literal">machine</tt> <tt class="literal">password</tt>
2511
<tt class="literal">timeout</tt> global option sets a retention period for
2512
Windows NT domain machine passwords. The default is currently set to
2513
the same time period that Windows NT 4.0 uses: 604,800 seconds (one
2514
week). Samba will periodically attempt to change the
2515
<em class="firstterm">machine account password</em>, which is a password
2516
used specifically by another server to report changes to it. This
2517
option specifies the number of seconds that Samba should wait before
2518
attempting to change that password. The timeout period can be changed
2519
to a single day by specifying the following:</p>
2521
<blockquote><pre class="code">[global]
2522
machine password timeout = 86400</pre></blockquote>
2524
<a name="samba2-CHP-4-NOTE-119"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
2525
<p>If you would like more information on how Windows NT uses domain
2526
usernames and groups, we recommend Eric <a name="INDEX-178"/>Pearce's
2527
<em class="citetitle">Windows NT in a Nutshell</em>, published by
2528
O'Reilly. <a name="INDEX-179"/></p>
2540
<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> When we include
2541
Windows XP in discussions of Windows NT domains in this book, we are
2542
referring to Windows XP Professional and not to the Home edition. The
2543
reason for this is explained in the section on Windows XP later in
2544
this chapter.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> The entry in
2545
<em class="filename">/etc/passwd</em> might not be required in future
2546
Samba versions.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> If you want to follow our example in this
2547
section, and your network doesn't have any Windows
2548
systems offering shares, see <a href="ch05.html">Chapter 5</a> for
2549
directions on how to create one. Make sure you understand how to set
2550
up shares before continuing with the directions presented
2551
here!</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> The version of the System Policy
2552
Editor distributed with Windows 98 is an update of the version
2553
shipped with Windows 95. Use the version from the Windows 98
2554
distribution if you can.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This security identifier (SID) is part of
2555
an access token that allows the PDC to identify and authenticate the
2556
client.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>