[plug] Samba PDC AGAIN!!

Jonathan Young jonathan at pcphix.com
Sun Dec 18 23:59:01 WST 2005


Jonathan Young wrote:

> Chris Watt wrote:
>
>>Hi Guys,
>>
>>I'm really quite desperate now to get this machine working properly, I
>>really urgently need the help of someone who has done this and could
>>help me on both the Samba and Windows end of things.
>>
>>If someone is able to offer assistance I would be forever grateful
>>
>>~Chris
>>
> When I get home tonight, before I go to sleep, I will compile my notes 
> into one 'tutorial'.
>
> I have just been so flat out, but the information I have here has 
> worked in every single case from Windows 98 to Windows XP unless the 
> machine itself has been in need of an F&R.
>
> These will be the best instructions I can offer, but as most of it is 
> on paper, I have just needed to find the time to *re-type* it... and 
> that has been the hold up.
>
> Talk to you later, though I'll post what I come up with to the list 
> for everyone's future reference (assuming it is useful and/or new 
> information).


Assuming that you have Samba set up correctly and the samba.conf file 
reflects the correct shares, and other settings are ready to roll, this 
'tutorial' (or more accurately a step by step guide of what has worked 
for me), demonstrates how I have successfully joined Windows 98 and 
Windows XP computers to a Samba PDC in the past.  I continue to refer to 
this method when adding more PCs to my existing Samba PDC based networks 
and provided your Samba shares and services are configured properly, 
this process should get your Windows boxen logging on.

A massive part of this documentation has been lifted from a website 
belonging to a friend of mine, Les Ritchin and from technical documents 
written by Les while he was working for PC-PHIX.

Over at www.cr0n.net, he has an article titled Connecting a Windows 98 
PC to a Samba Domain:  http://www.cr0n.net/articles.php?article=sambaclient

While working for PC-PHIX back in 2004, he headed up the process of 
perfecting our Samba controllers for use with Windows and more or less 
wrote the rest of this documentation as part of a network document 
required to provide ongoing support to one particular client.  I have 
re-written some of this to make it more generic (i.e. removed specific 
references to our client's network), but from a technical point of view 
nothing is missing.

So credit where credit is due... Assuming it all works smoothly - thank 
Les!  I have however edited these instructions together to provide a 
more complete guide for both Windows 98 and Windows XP together.  This 
really should just work!!!*

Joining a new PC to the domain is fairly straightforward. In a nutshell 
the steps are:
- Create a machine account and user account on the server.
- Configure the client PC to use a domain and give it the machine name 
you specified.
- Reboot and login with the account information you set up.

Below are the steps required in more detail.  Good luck!



**** For Windows XP: ****

Server Configuration:
=============

1. Log into the server as root. Create a new machine (or trust) account.

[root at yourdomain root]# useradd -g machines -d /dev/null -s 
/sbin/nologin -u uid machine_name$

Some of the switches are optional, UIDs are assigned automatically, -g 
is the group ("machines") and so on.
Note the $ appended to the machine name - this is important!

2. Lock the account.

[root at yourdomain root]# passwd -l machine_name$
Locking password for user machine_name$.
passwd: Success

3. Create an SMB trust account with the same name.

[root at yourdomain root]# smbpasswd -a -m machine_name
Added user machine_name$

4. Create a user account for the new staff member / person who will be 
using this PC.

[root at yourdomain root]# useradd -U uid user
[root at yourdomain root]# passwd user
Changing password for user user.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

5. Create an SMB user account for the domain. It is a good idea from an 
administrative point of view to make the SMB password the same as the 
UNIX password.

[root at yourdomain root]# smbpasswd -a user
New SMB password:
Retype new SMB password:
Added user user.

The server is now configured, next you need to configure the client.

Client Configuration:
==============

Below are the steps required for the Windows XP client in detail. This 
assumes you are running Windows XP Professional.
Please note that Windows XP Home cannot join a domain. This is a 
limitation with that particular version of Windows, not the server.

Unplug the LAN cable from the client PC before starting. These 
instructions  assume you have already installed all required software as 
local Administrator before joining the domain.

1. Start Windows XP.

2. Log in as Administrator (not an equivalent account).

3. Run the WXP_SignOrSeal.reg patch** on the client PC.

4. Go to Start->Run and type gpedit.msc

5. Under Computer Configuration->Administrative Templates->System->User 
Profiles double click on Only allow local profiles. Select Enabled and 
click Apply and OK. Also enable Prevent Roaming Profile changes from 
propagating to the server.

6. Right click My Computer, choose properties and flip to Computer Name.

7. Click Change.

8. Change the computer name to the same name as set up in Server setup 
(step 1).

9. Click OK, OK, and Yes to restart.

10. Press CTRL-ALT-DEL and log in as Administrator (not an equivalent 
account).

11. Right click My Computer, choose properties and flip to Computer Name.

12. Click Change.

13. Plug in the LAN cable, select the domain button and type YOURDOMAIN 
in the domain field. Press enter or click OK.

14. In the dialog box, type the Domain Administrator's username and 
password.

15. A message appears welcoming you to the YOURDOMAIN domain. Restart 
your computer.

16. Press CTRL-ALT-DEL and log in as Administrator (not an equivalent 
account).
 
17. Go to Start->Settings->Control Panel->User Accounts and click Add... 
Type in the user name that will be logging into the computer. In the 
domain field type YOURDOMAIN and set this user as an Administrator. This 
ensures that when that user connects to that domain he or she will be 
able to install programs, set the time etc.

18. Log Off.

19. Press CTRL-ALT-DEL and log in using the username and password as set 
up in Server setup (steps 4 & 5). Make sure that Log On To: is set to 
YOURDOMAIN

.....You're done!!

Notes:
=====

- I seem to remember that you need to actually supply the server's root 
password and the username 'root' at some point instead of 
Administrator.  Try this for 14 if 'administrator' does not work.
- The signorseal patch may or may not be required (see footnotes below).
- It is a good idea to set the local PC (Windows) Administrator password 
to something before joining the domain because while the PC is part of 
the domain you can stop unauthorised logins, but off the domain (or 
removed from the domain) you could still log in with no password (since 
Microsoft won't make you create a 'root' password by default).  Please 
remember to record your new password somewhere.



**** For Windows 98: ****

by Les Ritchin (les at cr0n.net); edited by Jonathan Young 
(jonathan at pcphix.com)

[NB: The 'Server Configuration' is repeated / very similar to the 
outline given above.  I recommend reading both and double checking any 
differences to ensure the process you use is best suited to your 
particular situation. - Jonathan]

Ewww. Windows 98! Yeah I know. But the fact is that most businesses 
still have a few old 98 machines still chugging along. I can't really 
blame them though, most companies are sick and tired of paying the 
Microsoft tax year after year - so do your part - introduce them to Linux ;)

Holy wars aside, this article describes step by step how to get a 
Windows 98 PC onto a Samba domain. I'm basing this on a few Samba DC's 
that I built in my days as a network technician. Keep in mind I had to 
play it by ear, so my particular Samba DC's may not be the most elegant 
ones around. They do, however, Just Work(tm) and that is usually what 
the client is interested in. What this means is that Your Mileage May 
Vary quite considerably. As always, follow this at your own risk. I 
can't be responsible if your system gets hosed. It's your responsibility 
to make sure nothing harmful happens to your computer. Now let's get 
started!

Server Configuration:
==============

The first thing you'll need is root access to the Samba server. This can 
be at a physical console, or over SSH. I like SSH, because I'm lazy and 
don't like to get out of my chair.

First we will create the Samba credentials. For this step, decide what 
your Windows 98 PC should be called, like "reception", and decide who 
will be using it like "jsmith". We need to provide the Samba server 
these details. SSH to the Samba server as root.

1. Create the machine account on the server:

useradd -d /dev/null -s /sbin/nologin reception$

Note the $ sign on the end. This is very important.

2. Now lock the account to prevent password changes:

passwd -l reception$

3. Add the newly created machine account to Samba's authentication list. 
Note that in this example, you DO NOT add the $ sign. The -m switch 
tells smbpasswd that this is a machine account.

smbpasswd -a -m reception

That's it for the machine account.

4. Now we must add a human user

useradd jsmith

5. Give jsmith a password

passwd jsmith

6. jsmith will, by default, belong only to the jsmith group. If your 
Samba server uses group based security (which I've found to be very easy 
to set up) you'll probably want to add this user to one of those groups 
so that he can access the stuff he needs to access. For example, if the 
Samba server uses a group such as docsonly, and jsmith needed access to 
stuff in the docsonly group, add him to the group using the usermod 
command. CAUTION: If the user is currently a member of a group which is 
not listed, the user will be removed from the group:

usermod jsmith -G jsmith docsonly

7. Now add the jsmith to Samba's authentication list

smbpasswd -a jsmith

That's it for the server side, now we must connect the Windows 98 machine.

Client Configuration:
==============

For this step, I'll assume you are already familiar with Windows 98.

You will need to go to Start->Settings>Control Panel.

Double Click the network icon and make sure that the following 
networking items are installed:

- Client for Microsoft Networks
- Network Adapter
- TCP/IP

Click the Identification tab and give the computer the correct name (as 
in reception). Fill in the workgroup name with your domain name (yeah I 
know - it's like Start->Shutdown). Optionally add in a comment.

Now go back to configuration and select Client for Microsoft Networks, 
and click Properties. Check the box that says "Log onto NT Domain" and 
type the domain name in the text field. Click OK and OK again.

Restart your PC. At logon, make sure that the domain shows up correctly, 
and type the username and password you specified in server setup for the 
user. Windows should log onto the domain and run the applicable logon 
script that is stored on the server.

Notes:
=====

- The steps to be carried out on the server are not OS specific, so make 
sure you carry them out either way before doing the client side.  Les' 
version may be a little different to mine and were probably tested using 
different versions of Samba.  Provided you believe you understand them, 
there will be solid information in both sections / versions.
- It is a good idea to set the local PC (Windows) Administrator password 
to something before joining the domain because while the PC is part of 
the domain you can stop unauthorised logins, but off the domain (or 
removed from the domain) you could still log in with no password (since 
Microsoft won't make you create a 'root' password by default).  Please 
remember to record your new password somewhere.



**** Footnotes: ****

* May not work for you, please don't hold me responsible just because I 
tried to help you out!
** The Windows XP 'Signorseal' Patch is more or less a registry hack.  
It may not be required if you have SP2 and other updates installed.  It 
can be found at various locations online such as this one:  
http://www.see.ed.ac.uk/it/network/domain/signorseal.reg (found by 
Googling 'signorseal patch').

The contents of .reg files can be checked for 'nasty' intentions fairly 
easily.  This one appears to do the following:

REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"signsecurechannel"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group 
Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:00000001

So of course, you could make those changes manually...

============================

That's about it.  Unfortunately I have not done this exercise frequently 
enough to have perfected it just yet.  Even now, these instructions are 
a work in progress.  But if you see something new or something 
different; something that you haven't checked out yet, well, that's 
probably what the problem is!

Good luck and if anyone wants to improve on these notes, I'd love to 
hear from you!

-- 
Jonathan Young
Director of PC-PHIX
jonathan at pcphix.com

Phone: 0410 455 674
Web: http://www.pcphix.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20051218/b6de1d9b/attachment.html>


More information about the plug mailing list