Penguin

DANGER WILL ROBINSON

I am creating this as I go, so it will not be complete and working until I remove this message. You have been warned.


The Beginnings of the Samba As PDC Wiki - excuse the bad layout etc while I get everything sorted properly.

Operating Systems:

Requirements (aka: these are the packages installed on my server, and yes, these are RedHat packages)

  • samba-2.2.3a-6
  • shadow-utils-20000902-7

smb.PDC.conf

Had to do:

smbpasswd root

In order for a machine to join a domain controlled by a Samba server, the user given from the workstation must have root priviledges on the PDC. ie, user root will do.

WARNING: It is a bad idea to make your Samba password the same as your shell password.

If you want to join the DOMAIN "WLUG", do not have the workstation already in the WORKGROUP "WLUG" as things do not work correctly. To get around this, change the WORKGROUP of the workstation to something that is not "WLUG".

Reboot [ok, Windows. Cool huh?

Change from WORKGROUP to DOMAIN and put in "WLUG". Apply. You should be prompted for a username/password. This is where you MUST give a user that has root priviledges on the Linux PDC. ie root.

All things going well, this will create the machine account in the smbpasswd file. Without this "trust", the machine cannot log into the domain.

You will have created user accounts on the Linux PDC - yes, real accounts, although I guess the shell can be /bin/false or /dev/null - shouldn't matter.

  • adduser -s /bin/false -c "GavinGrieve" hektik
  • passwd hektik
  • smbpasswd hektik

This will create the user account - one that they can't login directly to a shell. Create a password, then create their Samba password.

Now that this is done, tweak your left nipple, touch your right knee, and pray to Allah, boom shanka, working Samba PDC.

Problems, and solutions:

Win2k Joining the Domain

O.k. just did this on a Windows 2000 machine, and had the problem that after joining the domain I could still not log on and got "Initialization failed because the requested service redirector could not be started." in the win2k event log. After some chatting on IRC it has been revealed to me that you will need a further reboot to get the thing working. Which for me seemed to fix it. There is a related TechNet? article http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q262348&

WinXP Pro Joining the Domain

Note that this was performed using WinXP Pro and a Samba 3.0 PDC with LDAP backend. YMMV. Also note that you cannot get WinXP Home to join a domain. At all. Ever.

IBM have some information on this.

In summary:

You follow the normal procedure for joining a NT-class machine to the domain (ie, create machine accounts etc). However, before you try to join the XP machine to the domain, do the following:

  1. Open the Local Security Policy editor (Start -> All Programs -> Administrative Tools -> Local Security Policy).
  2. Locate the entry "Domain member: Digitally encrypt or sign secure channel (always)". Disable it.
  3. Locate the entry "Domain member: Disable machine account password changes". Make sure it's disabled as well.
  4. Locate the entry "Domain member: Require strong (Windows 2000 or later) session key". Disable it.
  5. Next, apply the RequireSignOrSeal registry patch
  6. Now join the domain the same as you would for Windows NT or 2000. Right-click My Computer, select Properties, Computer Name, and Change. Or click the Network ID button and run the Network Wizard.

And voila, it all works.

XP handles domain stuff differently to the previous OSs. Amongst other things, it always wants to synchronise offline files, which is a pain.

Also, be careful when you log in with a user who has 'admin user' with XP. Most likely it will try and create the profiles, which will be owned by root. XP will barf and complain. Works fine with NT4, though, don't know about 2k. So either chown stuff to the right user, or set up some stick permission thingies somewhere. Things should magically come right.

If when joining the machine to the domain you receive the error "The RPC Server is Unavailable" try setting a static IP address on the XP machine then try joining again. This often seems to be related to bad WINS settings in DHCP, from reading things in the MS KB, Usenet, etc. In my case, my DHCP server was sending out H-node (8) for the NetBIOS node type. Changing it to P-node (2) seemed to make this "RPC Server" error go away, as did M-node (4).

--- http://home.t-online.de/home/c.ehbrecht/WebWiki/SambaPdcServer.html might have some useful hints in it too.

For SuSE or OpenSUSE users checkout the Samba PDC/OpenLDAP howto as this takes advantage of the Yast administration tool to do a fair bit of the manual work for you.