141001 г.Мытищи МО Ул.Институтская д:1 ком:101 (095) 588-52-09, 588-55-62 E-mail: T-Alex@mgul.ac.ru
Сервер Лаб. Космической информатики каф.ВТ Московский Государственный Университет Леса

Может ли Samba 2.0.3 работать в качестве Primary Domain Controller (как Windows NT Server)? Интересует возможность ведения бюджетов пользователей через User Manager, организации Domain Logons для клиентов Windows NT Workstation, возможности изменения паролей на Linux'е средствами Windows (а не через Telnet). Сколько не читал документацию, - сделал вывод, что Samba 2.0.3 позволяет лишь входить в уже существующий домен под управлением Windows NT Server и функционировать как Backup Domain Controller. Прав ли я? Если нет, то подскажите как сделать чтобы клиенты Windows NT Workstation 4.0 могли входить в домен, контролируемый Самбой (и вообще возможно ли Самбу сделать контроллером домена если в сети отсутствует сервер под управлением Windows NT Server?).

Re: Samba as Resource Domain PDC?

John Morgan Salomon wrote:

Hi there, I suppose it's possible that I missed something in this mailing list's archive, but I was wondering whether anyone has succeded in setting up Samba 2.0 as a PDC in an NT resource domain? I'm trying to add an NT 4.0 workstation (create a domain account), but it can't find the domain in question's PDC (Samba server is currently the only machine in there.)

I have a samba 2.0.2 setup as PDC for a domain. I can add machines to the domain, setup user roaming profiles, sharing files and printers, everything ok with password sync/changing and also setup policies to winnt and 95 client machines/users. Good work folks :)

My NT server manager also can't find a PDC for the domain; after reading NTDOMAINS.txt, I got the impression that you couldn't really have an NT domain without a PDC? Am I totally on crack, or could someone give me some tips on this? I'm currently not overly concerned with tuning or security, I would just like to get it working of at all possible.
Thanks,

I believe there are somethings missing in your smb.conf. Here is an excerpt from mine:

# Global parameters
        workgroup = 
        server string = 
        encrypt passwords = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *new*password* %n\n *new*password* %n\n *changed*
        unix password sync = Yes
        null passwords = No
        name resolve order = wins bcast lmhosts host
        deadtime = 1
        socket options = TCP_NODELAY IPTOS_THROUGHPUT SO_RCVBUF=4096
SO_SNDBUF=4096
        logon path = \\%L\%U\WinProfile
        logon drive = z:
        domain logons = Yes
        logon script = %U.bat
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins proxy = No
        wins support = Yes
        debug level = 0
        message command = csh -c 'xedit %s;rm %s' &
        create mask = 0740
        directory mask = 0750

[netlogon]
# This should be the location for your user scripts and policie files
        path = /usr/local/samba/lib/netlogon
        browseable = No
        writeable = No
        Guest ok = No
        locking = No
        public = No

[HOMES]
        read only = No
        browseable = No
        Guest ok = No

        Some coments:

        Before going to a NT worstation in order to add it to the domain
you
should create a machine account in the machine running samba:

        useradd -u  -g  -d/dev/null -s/bin/false
$
        smbpasswd -a -m 

        Now go to the NT workstation, Control Panel, Network, Click
change and
add the machine to the domain.

        Just one more thing: I compiled samba 2.0.2 with -DNTDOMAIN but
I am
not shure if this is needed. Hope this helps.

Pedro

От себя: Workstaion входит login script выполняет, профиль сохраняет, но ты становишся user на своей workstaion и не можешь нихрена. Это пока не победил.

У меня самба является domain master'ом. У меня была проблема, что какой-то юзер с NT перехватывал знамя. Тогда я поставил самбе os-level 255 и все пучком.
А если надо чтобы самба не перехватывала знамя, поставь ей os level чуть меньше, чем ставит себе HТ. rtfm!

Кто настраивал Sambу как NT сервер без оного в сети?

Я долго бился и победил!

samba-1.9.18p10-51.1

Вот мой конфиг

: [global]
:    workgroup = WorkGroup
:    security = user
:    log file = /var/log/samba/log.%m
:    max log size = 50
:    encrypt passwords = yes
:    smb passwd file = /etc/smbpasswd
:    username map = /etc/smbusers
:    socket options = TCP_NODELAY 
:    interfaces = 192.168.255.13/255.255.255.240 192.168.255.17/255.255.255.240 
:    os level = 200
:    
:    printcap name = /etc/printcap
:    load printers = yes
:    
:    guest account = guest
:    
:    
:    
:    domain master = yes 
:    domain logons = yes
:    logon script = %m.bat
:    logon script = %U.bat
:    logon path = \\%N\profiles
:    
:    dns proxy = no 
:    
:    preserve case = yes
:    case sensitive = no
:    client code page = 866
:    character set = koi8-r
:    create mask = 660
:    directory mask = 770
:    
: #============================ Share Definitions ==============================
: [menu]
:     comment = Users menu
:     path = /home/menu
:     browseable = yes
:     public = yes
:     writable = yes
:     
: [profiles]
:     comment = Профили
:     path = /home/profiles/%g/%u
:     browseable = yes
:     public = no
:     writable = yes
:     
: [homes]
:    comment = Home Directories
:    browseable = yes
:    writable = yes

: [nobody]
:    path = /tmp
:    browseable = no
:    public = no
:    read only = yes

: [netlogon]
:    comment = Network Logon Service
:    path = /home/netlogon/%g
:    guest ok = yes
:    writable = no
:    share modes = no


: [printers]
:    comment = All Printers
:    path = /var/spool/samba
:    browseable = no
:    guest ok = no
:    writable = no
:    printable = yes

: [All]
:    comment = Server files
:    path = /
:    valid users = @wheel, michael, Scorpion
:    browseable = no
:    public = no
:    writable = yes
:    
: [Dis]
:    comment = MustDie's Files
:    path = /usr/win
:    valid users = @wheel, michael, Scorpion
:    writable = no
:    browseable = no
:    printable = no
:    
: [Soft]
:    comment = Software
:    path = /usr/win/Soft
:    public = yes
:     writable = yes
:    
: [teacher]
:    comment = Teacher stuff
:    path = /home/teacher
:    public = no
:    writable = yes
:    valid users = @wheel,@teacher
:    printable = no
:    
: [A]
:    path = /A
:    public = no
:    browseable = no
:    writable = yes

: [Users]
:     path = /home
:     public = no
:     writable = yes
:     valid users = @wheel
:     browseable = no

При входе с Win95 хостов (локальная сеть)на Samba нет проблем, работает как положено. Но с NT машины не могу зайти на Samba server.Выскакивает сообщение "Данный пользователь не может войти в сеть с этой машины"

Надо на Win NT запустить файл NT4_PlainPassword.reg, который входит в поставку Samb-ы (находится в доках).

В локалке 3 машины на одной Linux с Samba на других винды Одна машина видет shares на Sambe , а другая пишет " Введите пароль для IPC$" и ни какой пароль не помогает.
Кто знает что делать?

У меня сервер под NT, моя машина под RH5.2, остальные под '95/'98. Все друг друга видят. Держи мой конфиг самбы

: ;The global setting for a RedHat default install
: ; smbd re-reads this file regularly, but if in doubt stop and restart it:
: ; /etc/rc.d/init.d/smb stop
: ; /etc/rc.d/init.d/smb start
: ;======================= Global Settings =====================================
: [global]

: ; workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
:    workgroup = FIRSTDMN

: netbios name = postcomp
: browseable = yes
: interfaces = 192.168.0.254
: announce as = NT

: null passwords=yes
: networkstation user login = no
: encrypt passwords = no

: ; comment is the equivalent of the NT Description field
:   comment = RedHat Samba Server

: ; volume = used to emulate a CDRom label (can be set on a per share basis)
:    volume = RedHat4

: ; printing = BSD or SYSV or AIX, etc.
:    printing = bsd
:    printcap name = /etc/printcap
:    load printers = yes
:    print command = lpr -r -P%p %s
:    lpq command = lpq -P%p
:    lprm command = lprm -P%p %j
:                            
: ; Uncomment this if you want a guest account
: ;  guest account = pcguest
:    log file = /var/log/samba/samba-log.%m
: ; Put a capping on the size of the log files (in Kb)
:    max log size = 50

: ; Options for handling file name case sensitivity and / or preservation
: ; Case Sensitivity breaks many WfW and Win95 apps
:     character set = koi8-r
:     client code page = 866
:     #default case = upper
:     #case sensitive = yes
:     short preserve case = yes
:     preserve case = yes

: ; Security and file integrity related options
:    lock directory = /var/lock/samba
:    locking = yes
:    strict locking = yes
:    oplocks =False
:    share modes = no
: ; Security modes: USER uses Unix username/passwd, SHARE uses WfW type passwords
: ;        SERVER uses a Windows NT Server to provide authentication services
:     security = server
: ; Use password server option only with security = server
:     password server = ntserv

: ; Configuration Options ***** Watch location in smb.conf for side-effects *****
: ; Where %m is any SMBName (machine name, or computer name) for which a custom
: ; configuration is desired
: ;   include = /etc/smb.conf.%m

: ; Performance Related Options
: ; Before setting socket options read the smb.conf man page!!
:    socket options = TCP_NODELAY 
: ; Socket Address is used to specify which socket Samba
: ; will listen on (good for aliased systems)
: ;   socket address = aaa.bbb.ccc.ddd
: ; Use keep alive only if really needed!!!!
: ;   keep alive = 60

: ; Domain Control Options
: ; OS Level gives Samba the power to rule the roost. Windows NT = 32
: ;       Any value < 32 means NT wins as Master Browser, > 32 Samba gets it
:     os level = 32
: ; specifies Samba to be the Domain Master Browser
: ;   domain master = yes
:     domain master = no
: ; Use with care only if you have an NT server on your network that has been
: ; configured at install time to be a primary domain controller.
: ;   domain controller = <NT-Domain-Controller-SMBName>
: ;    domain controller = ntserv
: ; Domain logon control can be a good thing! See [netlogon] share section below!
: ;   domain logons = yes
: ; run a specific logon batch file per workstation (machine)
: ;   logon script = %m.bat
: ; run a specific logon batch file per username
: ;   logon script = %u.bat
: ; Windows Internet Name Serving Support Section
: ; WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
: ;       the default is NO.
:     wins support = no
: ; WINS Server - Tells the NMBD components of Samba to be a WINS Client
: ;       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
:    wins server = 192.168.0.1
: ; WINS Proxy - Tells Samba to answer name resolution queries on behalf of a non
: ;       WINS Client capable client, for this to work there must be at least one
: ;       WINS Server on the network. The default is NO.
:      wins proxy = no

: message command = sh -c '/usr/local/bin/smbmessage %f %m %t %s' &

: ;============================ Share Declarations ==============================
: ;[homes]
: ;   comment = Home Directories
: ;   browseable = yes
: ;   read only = no
: ;   preserve case = yes
: ;   short preserve case = yes
: ;   create mode = 0750

: ; Un-comment the following and create the netlogon directory for Domain Logons
: ; [netlogon]
: ;   comment = Samba Network Logon Service
: ;   path = /home/netlogon
: ; Case sensitivity breaks logon script processing!!!
: ;   case sensitive = no
: ;   guest ok = yes
: ;   locking = no
: ;   read only = yes
: ;   browseable = yes  ; say NO if you want to hide the NETLOGON share
: ;   admin users = @wheel

: ; NOTE: There is NO need to specifically define each individual printer
: [printers]
:    comment = All Printers
:    path = /var/spool/samba
:    browseable = no
:    printable = yes
: ;  Set public = yes to allow user 'guest account' to print
:    public = yes
:    writable = yes
:    create mode = 0777

: ;[tmp]
: ;   comment = Temporary file space
: ;   path = /tmp
: ;   read only = no
: ;   public = yes

: ; A publicly accessible directory, but read only, except for people in
: ; the staff group
: ;[public]
: ;   comment = Public Stuff
: ;   path = /home/samba
: ;   public = yes
: ;   writable = yes
: ;   printable = no
: ;   write list = @users

: ; Other examples. 
: ;
: ; A private printer, usable only by fred. Spool data will be placed in fred's
: ; home directory. Note that fred must have write access to the spool directory,
: ; wherever it is.
: ;[fredsprn]
: ;   comment = Fred's Printer
: ;   valid users = accounter Inna administrator 
: ;   path = /var/spool/lpd/lp
: ;   printer = lp
: ;   public = yes
: ;   writable = no
: ;   printable = yes
: ;
: ; A private directory, usable only by fred. Note that fred requires write
: ; access to the directory.
: ;[fredsdir]
: ;   comment = Fred's Service
: ;   path = /usr/somewhere/private
: ;   valid users = fred
: ;   public = no
: ;   writable = yes
: ;   printable = no
: ;
: ; a service which has a different directory for each machine that connects
: ; this allows you to tailor configurations to incoming machines. You could
: ; also use the %u option to tailor it by user name.
: ; The %m gets replaced with the machine name that is connecting.
: ;[pchome]
: ;  comment = PC Directories
: ;  path = /usr/pc/%m
: ;  public = no
: ;  writeable = yes
: ;
: ;
: ; A publicly accessible directory, read/write to all users. Note that all files
: ; created in the directory by users will be owned by the default user, so
: ; any user with access can delete any other user's files. Obviously this
: ; directory must be writable by the default user. Another user could of course
: ; be specified, in which case all files would be owned by that user instead.
: ;[public]
: ;   path = /usr/somewhere/else/public
: ;   public = yes
: ;   only guest = yes
: ;   writable = yes
: ;   printable = no
: ;
: ;
: ; The following two entries demonstrate how to share a directory so that two
: ; users can place files there that will be owned by the specific users. In this
: ; setup, the directory should be writable by both users and should have the
: ; sticky bit set on it to prevent abuse. Obviously this could be extended to
: ; as many users as required.
: ;[myshare]
: ;   comment = Mary's and Fred's stuff
: ;   path = /usr/somewhere/shared
: ;   valid users = mary fred
: ;   public = no
: ;   writable = yes
: ;   printable = no
: ;   create mask = 0765

: ;[ftp]
: ;   comment = FTP Server
: ;   path = /home/ftp
: ;   public = yes
: ;   writable = yes
: ;   printable = no

: [scico]
:    comment = scico
:    path = /sharing/scico/
:    force user=root
:    force group=users
: ;   forse create mode=0666
: ;   forse directory mode=0777
: ;  valid users = accounter Inna administrator operator
:    public = yes
:    writable = yes
:    printable = no
:    create mask = 0666
:    
: [e_mail]
:    comment = e_mail
:    path = /sharing/e_mail
:    force user=root
:    force group=users
: ;   valid users = 
:    public = yes
:    writable = yes
:    printable = no
:    create mask = 0644
: [Archives]
:    comment = arc
:    path = /sharing/archives
:    force user=root
:    force group=users
:    valid users = Inna administrator operator accounter
:    public = yes
:    writable = yes
:    printable = no
:    create mask = 0644
: [post]
:    comment = post
:    path = /sharing/post
:    force user=root
:    force group=users
:    valid users = Inna administrator operator accounter
:    valid group = users
:    public = yes
:    writable = yes
:    printable = no
:    create mask = 0644
: [fido]
:    comment = fido
:    path = /sharing/fido
:    force user=root
:    force group=users
: ;   valid users = Inna administrator
:    public = yes
:    writable = yes
:    printable = no
:    create mask = 0666
:  
:    
:      

SMB-HOWTO Начало этой главы.