1<html> 2<body bgcolor="#ffffff"> 3 4<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" 5hspace="10" align="left" /> 6 7<h1 class="head0">Chapter 4. Windows NT Domains</h1> 8 9 10 11<p><a name="INDEX-1"/>In previous 12chapters, we've focused on workgroup networking to 13keep things simple and introduce you to networking with Samba in the 14most painless manner we could find. However, workgroup computing has 15its drawbacks, and for many computing environments, the greater 16security and single logon of the Windows NT domain make it worthwhile 17to spend the extra effort to implement a domain.</p> 18 19<p>In addition to the domain features of 20<a name="INDEX-2"/>that we discussed in <a href="ch01.html">Chapter 1</a>, having a domain makes it possible to use 21<em class="firstterm">logon scripts</em><a name="INDEX-3"/> and <em class="firstterm">roaming profiles 22</em><a name="INDEX-4"/>(also called<em class="firstterm"> roving 23profiles</em><a name="INDEX-5"/>). A logon 24script is a text file of commands that are run during startup, and a 25profile is a collection of information regarding the desktop 26environment, including the contents of the Start menu, icons that 27appear on the desktop, and other characteristics about the GUI 28environment that users are allowed to customize. A roaming profile 29can follow its owner from computer to computer, allowing her to have 30the same familiar interface appear wherever she logs on.</p> 31 32<p>A Windows NT domain offers centralized control over the network. 33<em class="firstterm">Policies</em><a name="INDEX-6"/> can be set up by an administrator to 34define aspects of the users' environment and limit 35the amount of control they have over the network and their computers. 36It is also possible for administrators to perform remote 37administration of the domain controllers from any Windows NT/2000/XP 38workstation.</p> 39 40<p>Samba 2.2 has the ability to act as a primary domain controller, 41supporting domain logons from Windows 95/98/Me/NT/2000/XP computers 42and allowing Windows NT/2000/XP<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> systems to join the domain as domain 43member servers. Samba can also join a domain as a member server, 44allowing the primary domain controller to be a Windows NT/2000 system 45or another Samba server.</p> 46 47<a name="samba2-CHP-4-NOTE-100"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 48<p>Samba 2.2 does not support <a name="INDEX-7"/><a name="INDEX-8"/><a name="INDEX-9"/>LDAP and <a name="INDEX-10"/>Kerberos authentication of Active 49Directory, so it cannot act as a Windows 2000 Active Directory domain 50controller. However, Samba can be added to an Active Directory domain 51as a member server, with the Windows 2000 domain controllers running 52in either mixed or native mode. The Windows 2000 server (even if it 53is running in native mode) supports the Samba server by acting as a 54<a name="INDEX-11"/><a name="INDEX-12"/>PDC emulator, using the Windows NT 55style of authentication rather than the Kerberos style.</p> 56</blockquote> 57 58<p>If you're adding a Samba server to a network that 59has already been set up, you won't have to decide 60whether to use a workgroup or a domain; you will simply have to be 61compatible with what's already in place. If you do 62have a choice, we suggest you evaluate both workgroup and domain 63computing carefully before rolling out a big installation. You will 64have a lot of work to do if you later need to convert one to the 65other. One last thought on this matter is that Microsoft is 66developing Windows in the direction of increased use of domains and 67is intending that eventually Windows networks be composed solely of 68Active Directory domains. If you implement a Windows NT domain now, 69you'll be in a better position to transition to 70Active Directory later, after Samba has better support for it.</p> 71 72<p>In this chapter, we cover various topics directly related to using 73Samba in a Windows NT domain, including:</p> 74 75<ul><li> 76<p>Configuring and using Samba as the primary domain controller</p> 77</li><li> 78<p>Setting up Windows 95/98/Me systems to log on to the domain</p> 79</li><li> 80<p>Implementing user-level security on Windows 95/98/Me</p> 81</li><li> 82<p>Adding Windows NT/2000/XP systems to the domain</p> 83</li><li> 84<p>Configuring logon scripts, roaming profiles, and system policies</p> 85</li><li> 86<p>Adding a Samba server to a domain as a member server</p> 87</li></ul> 88 89 90 91 92<div class="sect1"><a name="samba2-CHP-4-SECT-1"/> 93 94<h2 class="head1">Samba as the Primary Domain Controller</h2> 95 96<p><a name="INDEX-13"/>Samba 2.2 97is able to handle the most desired functions of a primary domain 98controller in a Windows NT domain, handling domain logons and 99authentication for accessing shared resources, as well as supporting 100logon scripts, roaming profiles, and system policies.</p> 101 102<a name="samba2-CHP-4-NOTE-101"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 103<p>You will need to use at least Samba 2.2 to ensure that PDC 104functionality for Windows NT/2000/XP clients is present. Prior to 105Samba 2.2, only limited user authentication for NT clients was 106present.</p> 107</blockquote> 108 109<p>In this section, we will show you how to configure Samba as a PDC for 110use with Windows 95/98/Me and Windows NT/2000/XP clients. The two 111groups of Windows versions interact differently within domains, and 112in some cases are supported in slightly different ways. If you know 113you are going to be using only Windows 95/98/Me or Windows 114NT/2000/XP, you can set up Samba to support only that group. However, 115there isn't any harm in supporting both at the same 116time.</p> 117 118<a name="samba2-CHP-4-NOTE-102"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 119<p>If you would like more information on how to set up 120<a name="INDEX-14"/>domains, see the file 121<em class="filename">Samba-PDC-HOWTO.html</em><a name="INDEX-15"/> 122in the <em class="filename">docs/htmldocs</em> directory of the Samba 123source distribution.</p> 124</blockquote> 125 126<p>Samba must be the only domain controller for the domain. Make sure 127that a PDC isn't already active, and that there are 128no backup domain controllers. Samba 2.2 is not able to communicate 129with backup domain controllers, and having domain controllers in your 130domain with unsynchronized data would result in a very dysfunctional 131network.</p> 132 133<a name="samba2-CHP-4-NOTE-103"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 134<p>Although Samba 2.2 cannot function as, or work with, a Windows NT 135<a name="INDEX-16"/><a name="INDEX-17"/>BDC, it is possible to set up 136another Samba server to act as a backup for a Samba PDC. For further 137information, see the file 138<em class="filename">Samba-BDC-HOWTO.html</em><a name="INDEX-18"/> 139in the <em class="filename">docs/htmldocs</em> directory of the Samba 140source distribution.</p> 141</blockquote> 142 143<p>Configuring Samba to be a PDC is a matter of modifying the 144<em class="filename">smb.conf</em> file, creating some directories, and 145restarting the server.</p> 146 147 148<div class="sect2"><a name="samba2-CHP-4-SECT-1.1"/> 149 150<h3 class="head2">Modifying smb.conf</h3> 151 152<p>First you will need to start with an 153<em class="filename">smb.conf</em><a name="INDEX-19"/><a name="INDEX-20"/> file that correctly configures Samba for 154workgroup computing, such as the one we created in <a href="ch02.html">Chapter 2</a>, and insert the following lines into the 155<tt class="literal">[global]</tt> section:</p> 156 157<blockquote><pre class="code">[global] 158 ; use the name of your Samba server instead of toltec 159 ; and your own workgroup instead of METRAN 160 netbios name = toltec 161 workgroup = METRAN 162 encrypt passwords = yes 163 164 domain master = yes 165 local master = yes 166 preferred master = yes 167 os level = 65 168 169 security = user 170 domain logons = yes 171 172 ; logon path tells Samba where to put Windows NT/2000/XP roaming profiles 173 logon path = \\%L\profiles\%u\%m 174 logon script = logon.bat 175 176 logon drive = H: 177 ; logon home is used to specify home directory and 178 ; Windows 95/98/Me roaming profile location 179 logon home = \\%L\%u\.win_profile\%m 180 181 time server = yes 182 183 ; instead of jay, use the names of all users in the Windows NT/2000/XP 184 ; Administrators group who log on to the domain 185 domain admin group = root jay 186 187 ; the below works on Red Hat Linux - other OSs might need a different command 188 add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote> 189 190<p>And after the <tt class="literal">[global]</tt> section, add these three 191new shares:</p> 192 193<blockquote><pre class="code">[netlogon] 194 path = /usr/local/samba/lib/netlogon 195 writable = no 196 browsable = no 197 198[profiles] 199 ; you might wish to use a different directory for your 200 ; Windows NT/2000/XP roaming profiles 201 path = /home/samba-ntprof 202 browsable = no 203 writable = yes 204 create mask = 0600 205 directory mask = 0700 206 207[homes] 208 read only = no 209 browsable = no 210 guest ok = no 211 map archive = yes</pre></blockquote> 212 213<p>Now for the explanation. If you are comparing this example to the 214configuration file presented in <a href="ch02.html">Chapter 2</a>, you 215will notice that the first three parameter settings are similar. We 216start out in the <tt class="literal">[global]</tt> section by setting the 217NetBIOS name of the Samba server. We are using the default, which is 218the DNS hostname, but are being explicit because the NetBIOS name is 219used in UNCs that appear later in <em class="filename">smb.conf</em>. The 220next two lines, setting the workgroup name and choosing to use 221encrypted passwords, are identical to our 222<em class="filename">smb.conf</em> file from <a href="ch02.html">Chapter 2</a>. 223However, things are now a little different: even though it still 224reads "workgroup", we are actually 225setting the name of the domain. For a workgroup, using encrypted 226passwords is optional; when using a domain, they are required.</p> 227 228<p>The next four lines set up our Samba PDC to handle browsing services. 229The line <tt class="literal">domain</tt> <tt class="literal">master</tt> 230<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to be the 231domain master browser, which handles browsing services for the domain 232across multiple subnets if necessary. Although it looks very similar, 233<tt class="literal">local</tt> <tt class="literal">master</tt> 234<tt class="literal">=</tt> <tt class="literal">yes</tt> does not cause Samba to 235be the master browser on the subnet, but merely tells it to 236participate in browser elections and allow itself to win. (These two 237lines are yet more default settings that we include to be clear.) The 238next two lines ensure that Samba wins the elections. Setting the 239<tt class="literal">preferred</tt> <tt class="literal">master</tt> parameter 240makes Samba force an election when it starts up. The 241<tt class="literal">os</tt> <tt class="literal">level</tt> parameter is set 242higher than that of any other system, which results in Samba winning 243that election. (At the time of this writing, an <tt class="literal">os</tt> 244level of 65 was sufficient to win over all versions of 245Windows—but make sure no other Samba server is set higher!) We 246make sure Samba is both the <a name="INDEX-21"/><a name="INDEX-22"/>domain and local master browser 247because Windows NT/2000 PDCs always reserve the domain master browser 248role for themselves and because Windows clients require things to be 249that way to find the primary domain controller. It is possible to 250allow another computer on the network to win the role of local master 251browser, but having the same server act as both domain and local 252masters is simpler and more efficient.</p> 253 254<p>The next two lines in the <tt class="literal">[global]</tt> section set up 255Samba to handle the actual domain logons. We set 256<tt class="literal">security</tt> <tt class="literal">=</tt> 257<tt class="literal">user</tt> so that Samba will require a username and 258password. This is actually the same as in the workgroup setup we 259covered in <a href="ch01.html">Chapter 1</a> and <a href="ch02.html">Chapter 2</a> because it is the default. The only 260reason we're including it explicitly is to avoid 261confusion: another valid setting is <tt class="literal">security</tt> 262<tt class="literal">=</tt> <tt class="literal">domain</tt>, but that is for 263having another (Windows or Samba) domain controller handle the logons 264and should never be found in the <em class="filename">smb.conf</em> of a 265Samba PDC. The next line, <tt class="literal">domain</tt> 266<tt class="literal">logons</tt> <tt class="literal">=</tt> 267<tt class="literal">yes</tt>, is what tells Samba we want this server to 268handle domain logons.</p> 269 270<p>Defining a logon path is necessary for supporting 271<a name="INDEX-23"/><a name="INDEX-24"/>roaming profiles for 272Windows NT/2000/XP clients. The UNC 273<tt class="literal">\\%L\profiles\%u</tt> refers to a share held on the 274Samba server where the profiles are kept. The variables 275<tt class="literal">%L</tt> and <tt class="literal">%u</tt> are replaced by Samba 276with the name of the server and the username of the logged on user, 277respectively. The section in <em class="filename">smb.conf</em> defining 278the <tt class="literal">[profiles]</tt> share contains the definition of 279exactly where the profiles are kept on the server. 280We'll get back to this topic a bit later in this 281chapter.</p> 282 283<p>The <tt class="literal">logon</tt> <tt class="literal">script</tt> 284<tt class="literal">=</tt> <tt class="literal">logon.bat</tt> line specifies the 285name of an MS-DOS batch file that will be executed when the client 286logs on to the domain. The path specified here is relative to the 287<tt class="literal">[netlogon]</tt> share that is defined later in the 288<em class="filename">smb.conf</em> file.</p> 289 290<p>The settings of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and 291<tt class="literal">logon</tt> <tt class="literal">home</tt> have a couple of 292purposes. Setting <tt class="literal">logon</tt> <tt class="literal">drive</tt> 293<tt class="literal">=</tt> <tt class="literal">H</tt>: allows the home directory 294of the user to be connected to drive letter H on the client. The 295<tt class="literal">logon</tt> <tt class="literal">home</tt> parameter is set to 296the location of the home directory on the server, and again, 297<tt class="literal">%u</tt> is replaced at runtime by the logged on 298user's username. The home directory is used to store 299roaming profiles for Windows 95/98/Me clients. These parameters tie 300into the <tt class="literal">[homes]</tt> share that we are adding, as we 301will explain a bit later.</p> 302 303<p>Setting <tt class="literal">time</tt> <tt class="literal">server</tt> 304<tt class="literal">=</tt> <tt class="literal">yes</tt> causes Samba to advertise 305itself as a <a name="INDEX-25"/>time service for the network. This is 306optional.</p> 307 308<p>The <tt class="literal">domain</tt> <tt class="literal">admin</tt> 309<tt class="literal">group</tt> parameter exists as a short-term measure in 310Samba 2.2 to give Samba a list of users who have administrative 311privileges in the domain. The list should contain any Samba users who 312log on from Windows NT/2000/XP systems and are members of the 313Administrators or Domain Admins groups, if roaming profiles are to 314work correctly.</p> 315 316<p>The last parameter to add to the <tt class="literal">[global]</tt> section 317is <tt class="literal">add</tt> <tt class="literal">user</tt> 318<tt class="literal">script</tt>, and you will need it only if one or more 319of your clients is a Windows NT/2000/XP system. We will tell you more 320about this in <a href="ch04.html#samba2-CHP-4-SECT-2">Section 4.2</a> later in this chapter.</p> 321 322<p>The rest of the additions to <em class="filename">smb.conf</em> are the 323definitions for three <a name="INDEX-26"/><a name="INDEX-27"/>shares. The 324<tt class="literal">[netlogon]</tt><a name="INDEX-28"/> share is necessary for Samba to 325handle domain logons because Windows clients need to connect to it 326during the logon process and will fail if the share does not exist. 327Other than that, the only function of <tt class="literal">[netlogon]</tt> 328is to be a repository for logon scripts and system-policy files, 329which we shall cover in detail later in this chapter. The path to a 330directory on the Samba server is given, and because the clients only 331read logon scripts and system-policy files from the share, the 332<tt class="literal">writable</tt> <tt class="literal">=</tt> 333<tt class="literal">no</tt> definition is used to make the share read-only. 334Users do not need to see the share, so we set 335<tt class="literal">browsable</tt> <tt class="literal">=</tt> 336<tt class="literal">no</tt> to make the share invisible.</p> 337 338<p>The <tt class="literal">[profiles]</tt><a name="INDEX-29"/> share is needed for use with 339Windows NT/2000/XP roaming profiles. The path points to a directory 340on the Samba server where the profiles are kept, and in this case, 341the clients must be able to read and write the profile data. The 342<tt class="literal">create</tt> <tt class="literal">mask</tt> (read and write 343permitted for the owner only) and <tt class="literal">directory</tt> 344<tt class="literal">mask</tt> (read, write, and search permitted for the 345owner only) are set up such that a user's profile 346data can be read and written only by the user and not accessed or 347modified by anyone else.</p> 348 349<p>The <tt class="literal">[homes]</tt><a name="INDEX-30"/> share is necessary for our 350definitions of <tt class="literal">logon</tt> <tt class="literal">drive</tt> and 351<tt class="literal">logon</tt> <tt class="literal">home</tt> to work. Samba uses 352the <tt class="literal">[homes]</tt> share to add the home directory of the 353user (found in <em class="filename">/etc/passwd</em> ) as a share. Instead 354of appearing as "homes", the share 355will be accessible on the client through a folder having the same 356name as the user's username. We will cover this 357topic in more detail in <a href="ch09.html">Chapter 9</a>.</p> 358 359<p>At this point, you might want to run 360<em class="filename">testparm</em><a name="INDEX-31"/> to check your 361<em class="filename">smb.conf</em> file. <a name="INDEX-32"/><a name="INDEX-33"/></p> 362 363 364</div> 365 366 367<div class="sect2"><a name="samba2-CHP-4-SECT-1.2"/> 368 369<h3 class="head2">Creating Directories on the Samba Server</h3> 370 371<p><a name="INDEX-34"/><a name="INDEX-35"/>The 372<tt class="literal">[netlogon]</tt> and <tt class="literal">[profiles]</tt> 373shares defined in our new <em class="filename">smb.conf</em> file 374reference directories on the Samba server, and it is necessary to 375create those directories with the proper permissions:</p> 376 377<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /usr/local/samba/lib/netlogon</b></tt> 378# <tt class="userinput"><b>chmod 775 /usr/local/samba/lib/netlogon</b></tt> 379# <tt class="userinput"><b>mkdir /home/samba-ntprof</b></tt> 380# <tt class="userinput"><b>chmod 777 /home/samba-ntprof</b></tt></pre></blockquote> 381 382<p>The directory names we use are just examples. You are free to choose 383your own.</p> 384 385 386</div> 387 388 389<div class="sect2"><a name="samba2-CHP-4-SECT-1.3"/> 390 391<h3 class="head2">Restarting the Samba Server</h3> 392 393<p><a name="INDEX-36"/>At this 394point, the only thing left to do is restart the Samba server, and the 395changes will be put into effect:</p> 396 397<blockquote><pre class="code"># <tt class="userinput"><b>/etc/rc.d/init.d/smb restart</b></tt></pre></blockquote> 398 399<p>(or use whatever method works on your system, as discussed in <a href="ch02.html">Chapter 2</a>.) The server is now ready to accept domain 400logons. <a name="INDEX-37"/></p> 401 402 403</div> 404 405 406</div> 407 408 409 410<div class="sect1"><a name="samba2-CHP-4-SECT-2"/> 411 412<h2 class="head1">Adding Computer Accounts</h2> 413 414<p>To interact in a domain, a Windows NT/2000/XP system must be a member 415of the domain. <a name="INDEX-38"/>Domain membership is implemented 416using <em class="firstterm">computer 417accounts,</em><a name="INDEX-39"/><a name="INDEX-40"/> which are similar to user 418accounts and allow a domain controller to keep information with which 419to authenticate computers on the network. That is, the domain 420controller must be able to tell if requests that arrive from a 421computer are coming from a computer that it 422"knows" as being part of the 423domain. Each Windows NT/2000/XP system in the domain has a computer 424account in the domain controllers' database, which 425on a Windows NT/2000 hosted domain is the <a name="INDEX-41"/>SAM 426database. Although Samba uses a different method (involving the 427<em class="filename">smbpasswd</em><a name="INDEX-42"/> file), it also treats computer accounts 428similarly to user accounts.</p> 429 430<p>To create a computer account, an administrator configures a Windows 431NT/2000/XP system to be part of the domain. For Samba 2.2, the 432"<a name="INDEX-43"/><a name="INDEX-44"/>domain 433administrator" is the <a name="INDEX-45"/><a name="INDEX-46"/>root account on the Samba 434server, and you will need to run the command:</p> 435 436<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -a root</b></tt></pre></blockquote> 437 438<p>to add the root user to Samba's password database. 439In this case, do not provide <em class="filename">smbpasswd</em> with the 440same password as the actual root account on the server. Create a 441different password to be used solely for creating computer accounts. 442This will reduce the possibility of compromising the root password.</p> 443 444<p>When the computer account is created, two things must happen on the 445Samba server. An entry is added to the <em class="filename">smbpasswd</em> 446file, with a "username" that is the 447NetBIOS name of the computer with a dollar sign 448(<tt class="literal">$</tt>) appended to it. This part is handled by the 449<em class="emphasis">smbpasswd</em> command, and you do not need to 450perform any additional action to implement it.</p> 451 452<p>With Samba 2.2, an entry is also required in the 453<em class="filename">/etc/passwd</em> file<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> to give the computer account a 454user ID (UID) on the Samba server.</p> 455 456<p>This account will never be used to 457log in to the Unix system, so it should not be given a valid home 458directory or login shell. To make this part work, you must set the 459<tt class="literal">add</tt> <tt class="literal">user</tt> 460<tt class="literal">script</tt> parameter in your Samba configuration file, 461using a command that adds the entry in the proper manner. On our Red 462Hat Linux system, we set <tt class="literal">add</tt> 463<tt class="literal">user</tt> <tt class="literal">script</tt> to:</p> 464 465<blockquote><pre class="code">/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u</pre></blockquote> 466 467<p>This command adds an entry in <em class="filename">/etc/passwd</em> 468similar to the following:</p> 469 470<blockquote><pre class="code">aztec$:x:505:100::/dev/null:/bin/false</pre></blockquote> 471 472<p>Again, notice that the username ends in a dollar sign. The user 473account shown has a "home 474directory" of <em class="filename">/dev/null</em>, a 475group ID (GID) of 100, and a "login 476shell" of <em class="filename">/bin/false</em>. The 477<em class="emphasis">-M</em> flag in our <em class="emphasis">useradd</em> 478command prevents it from creating the home directory. Samba replaces 479the <tt class="literal">%u</tt> variable in the 480<em class="emphasis">useradd</em> command with the NetBIOS name of the 481computer, including the trailing dollar sign. The basic idea here is 482to create an entry with a valid username and UID. These are the only 483parts that Samba uses. It is important that the UID be unique, not 484also used for other accounts—especially ones that are 485associated with Samba users.</p> 486 487<p>If you are using some other variety of Unix, you will need to replace 488our <em class="emphasis">useradd</em> command with a command that performs 489the same function on your system. If a command such as 490<em class="emphasis">useradd</em> does not come with your system, you can 491write a shell script yourself that performs the same function. In any 492case, the command should add a password hash that does not correspond 493to any valid password. For example, in the<em class="filename"> 494/etc/shadow</em> file of our Linux server, we find the 495following two lines:</p> 496 497<blockquote><pre class="code">jay:%1%zQ7j7ok8$D/IubyRAY5ovM3bTrpUCn1:11566:0:99999:7::: 498zapotec$:!!:11625:0:99999:7:::</pre></blockquote> 499 500<p>The first line is for <tt class="literal">jay</tt>'s user 501account. The second field is the password hash—the long string 502between the first and second colons. The second line is for the 503computer account of <tt class="literal">zapotec</tt>, a domain member 504server. Its "username" ends with a 505dollar sign (<tt class="literal">$</tt>), and the second field in this case 506has been set to "!!", which is an 507arbitrary string not produced from any password. Therefore, there is 508no valid password for this account on the Linux host. Just about any 509ASCII string can be used instead of 510"!!". For example, you could use 511"DISABLED" instead.</p> 512 513<a name="samba2-CHP-4-NOTE-104"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 514<p>It is possible to <a name="INDEX-47"/><a name="INDEX-48"/><a name="INDEX-49"/><a name="INDEX-50"/>create the entries for 515<em class="filename">/etc/passwd</em> and <em class="filename">smbpasswd</em> 516manually; however, we suggest this method be used very carefully, and 517only for initial testing, or as a last resort. The reason for this is 518to maintain security. After the computer account has been created on 519the server, the next Windows NT/2000/XP system on the network with a 520matching NetBIOS name to log on to the domain will be associated with 521this account. This allows crackers a window of opportunity to take 522over computer accounts for their own purposes.</p> 523</blockquote> 524 525 526</div> 527 528 529 530<div class="sect1"><a name="samba2-CHP-4-SECT-3"/> 531 532<h2 class="head1">Configuring Windows Clients for Domain Logons</h2> 533 534<p><a name="INDEX-51"/>The client-side configuration for Windows 535clients is really simple. All you have to do is switch from workgroup 536to domain networking by enabling domain logons, and in the case of 537Windows NT/2000/XP, also provide the root password you gave 538<em class="filename">smbpasswd</em> for creating computer accounts. This 539results in the Windows NT/2000/XP system becoming a member of the 540domain.</p> 541 542 543<div class="sect2"><a name="samba2-CHP-4-SECT-3.1"/> 544 545<h3 class="head2">Windows 95/98/Me</h3> 546 547<p><a name="INDEX-52"/><a name="INDEX-53"/>To 548enable domain logons with Windows 95/98/Me, open the Control Panel 549and double-click the Network icon. Then click Client for Microsoft 550Networks, and click the Properties button. At this point, you should 551see a dialog box similar to <a href="ch04.html#samba2-CHP-4-FIG-1">Figure 4-1</a>. Select the 552Logon to Windows Domain checkbox at the top of the dialog box, and 553enter the name of the domain as you have defined it with the 554<tt class="literal">workgroup</tt> parameter in the Samba configuration 555file. Then click OK, and reboot the machine when asked.</p> 556 557<div class="figure"><a name="samba2-CHP-4-FIG-1"/><img src="figs/sam2_0401.gif"/></div><h4 class="head4">Figure 4-1. Configuring a Windows 95/98 client for domain logons</h4> 558<a name="samba2-CHP-4-NOTE-105"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 559<p>If <a name="INDEX-54"/>Windows complains that you are already 560logged into the domain, you probably have an active connection to a 561share in the workgroup (such as a mapped network drive). Simply 562disconnect the resource temporarily by right-clicking its icon and 563choosing the Disconnect pop-up menu item.</p> 564</blockquote> 565 566<p>When Windows reboots, you should see the standard logon dialog with 567an addition: a field for a domain. The domain name should already be 568filled in, so simply enter your password and click the OK button. At 569this point, Windows should consult the primary domain controller 570(Samba) to see if the password is correct. (You can check the log 571files if you want to see this in action.) If it worked, 572congratulations! You have properly configured Samba to act as a 573domain controller for Windows 95/98/Me machines, and your client is 574successfully connected.</p> 575 576 577</div> 578 579 580<div class="sect2"><a name="samba2-CHP-4-SECT-3.2"/> 581 582<h3 class="head2">User-Level Security for Windows 95/98/Me</h3> 583 584<p><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>Now that you have a primary domain 585controller to authenticate users, you can implement much better 586security for shares that reside on Windows 95/98/Me 587systems.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> To enable this functionality, open the 588Control Panel, double-click the Network icon, and click the Access 589Control tab in the dialog box. The window should now look like <a href="ch04.html#samba2-CHP-4-FIG-2">Figure 4-2</a>.</p> 590 591<div class="figure"><a name="samba2-CHP-4-FIG-2"/><img src="figs/sam2_0402.gif"/></div><h4 class="head4">Figure 4-2. Setting user-level access control</h4> 592 593<p>Click the User-level access control radio button, and type in the 594name of your domain in the text area. Click the OK button. If you get 595the dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-3">Figure 4-3</a>, it means that 596shares are already on the system.</p> 597 598<div class="figure"><a name="samba2-CHP-4-FIG-3"/><img src="figs/sam2_0403.gif"/></div><h4 class="head4">Figure 4-3. Error dialog while changing to user-level access control</h4> 599 600<p>In that case, you might want to cancel the operation and make a 601record of each of the computer's shares, making it 602easier to re-create them, and then redo this part. (To get a list of 603shares, open an MS-DOS prompt window and run the 604<tt class="literal">net</tt> <tt class="literal">view</tt> 605<tt class="literal">\\</tt><em class="replaceable">computer_name</em> 606command.) Otherwise, you will get a message asking you to reboot to 607put the change in configuration into effect.</p> 608 609<p>After rebooting, you can create shares with user-level access 610control. To do this, right-click the folder you wish to share, and 611select Sharing.... This will bring up the Shared Properties dialog 612box, shown in <a href="ch04.html#samba2-CHP-4-FIG-4">Figure 4-4</a>.</p> 613 614<div class="figure"><a name="samba2-CHP-4-FIG-4"/><img src="figs/sam2_0404.gif"/></div><h4 class="head4">Figure 4-4. The Shared Properties dialog</h4> 615 616<p>Click the Shared As: radio button, and give the share a name and 617comment. Then click the Add... button, and you will see the Add Users 618dialog box, shown in <a href="ch04.html#samba2-CHP-4-FIG-5">Figure 4-5</a>.</p> 619 620<div class="figure"><a name="samba2-CHP-4-FIG-5"/><img src="figs/sam2_0405.gif"/></div><h4 class="head4">Figure 4-5. The Add Users dialog</h4> 621 622<p>What has happened is that Windows has contacted the primary domain 623controller (in this case, Samba) and requested a list of domain users 624and groups. You can now select a user or group and add it to one or 625more of the three lists on the righthand side of the window—for 626Read Only, Full Access, or Custom Control—by clicking the 627buttons in the middle of the window. When you are done, click the OK 628button. If you added any users or groups to the Custom Control list, 629you will be presented with the Change Access Rights dialog box, shown 630in <a href="ch04.html#samba2-CHP-4-FIG-6">Figure 4-6</a>, in which you can specify the rights 631you wish to allow. Then click the OK button to close the dialog box.</p> 632 633<div class="figure"><a name="samba2-CHP-4-FIG-6"/><img src="figs/sam2_0406.gif"/></div><h4 class="head4">Figure 4-6. The Change Access Rights dialog</h4> 634 635<p>You are now returned to the Shared Properties dialog box, where you 636will see the Name: and Access Rights: columns filled in with the 637permissions that you just created. Click the OK button to finalize 638the process. Remember, you will have to perform these actions on any 639folders that you had previously shared using share-level security. 640<a name="INDEX-58"/><a name="INDEX-59"/></p> 641 642 643</div> 644 645 646<div class="sect2"><a name="samba2-CHP-4-SECT-3.3"/> 647 648<h3 class="head2">Windows NT 4.0</h3> 649 650<p><a name="INDEX-60"/><a name="INDEX-61"/>To 651configure Windows NT for domain logons, log in to the computer as 652Administrator or another user in the Administrators group, open the 653Control Panel, and double-click the Network icon. If it 654isn't already selected, click on the Network 655Identification tab.</p> 656 657<p>Click the Change... button, and you should see the dialog box shown 658in <a href="ch04.html#samba2-CHP-4-FIG-7">Figure 4-7</a>. In this dialog box, you can choose 659to have the Windows NT client become a member of the domain by 660clicking the checkbox marked Domain: in the Member of box. Then type 661in the name of the domain to which you wish the client to log on; it 662should be the same as the one you specified using the 663<tt class="literal">workgroup</tt> parameter in the Samba configuration 664file. Click the checkbox marked Create a Computer Account in the 665Domain, and fill in "root" for the 666text area labeled User Name:. In the Password: text area, fill in the 667root password you gave <em class="emphasis">smbpasswd</em> for creating 668computer accounts.</p> 669 670<div class="figure"><a name="samba2-CHP-4-FIG-7"/><img src="figs/sam2_0407.gif"/></div><h4 class="head4">Figure 4-7. Configuring a Windows NT client for domain logons</h4> 671<a name="samba2-CHP-4-NOTE-106"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 672<p>If Windows complains that you are already logged in, you probably 673have an active connection to a share in the workgroup (such as a 674mapped network drive). Disconnect the resource temporarily by 675right-clicking its icon and choosing the Disconnect pop-up menu item.</p> 676</blockquote> 677 678<p>After you press the OK button, Windows should present you with a 679small dialog box welcoming you to the domain. Click the Close button 680in the Network dialog box, and reboot the computer as requested. When 681the system comes up again, the machine will automatically present you 682with a logon screen similar to the one for Windows 95/98/Me clients, 683except that the domain text area has a drop-down menu so that you can 684opt to log on to either the local system or the domain. Make sure 685your domain is selected, and log on to the domain using any 686Samba-enabled user account on the Samba server.</p> 687<a name="samba2-CHP-4-NOTE-107"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 688<p>Be sure to select the correct domain in the Windows NT logon dialog 689box. Once it is selected, it might take a moment for Windows NT to 690build the list of available domains.</p> 691</blockquote> 692 693<p>After you enter the password, Windows NT should consult the primary 694domain controller (Samba) to see if the password is correct. Again, 695you can check the log files if you want to see this in action. If it 696worked, you have successfully configured Samba to act as a domain 697controller for Windows NT machines. <a name="INDEX-62"/><a name="INDEX-63"/></p> 698 699 700</div> 701 702 703<div class="sect2"><a name="samba2-CHP-4-SECT-3.4"/> 704 705<h3 class="head2">Windows 2000</h3> 706 707<p><a name="INDEX-64"/><a name="INDEX-65"/>To 708configure Windows 2000 for domain logons, log in to the computer as 709Administrator or another user in the Administrators group, open the 710Control Panel, and double-click the System icon to open the System 711Properties dialog box. Click the Network Identification tab, and then 712click the Properties button. You should now see the Identification 713Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-8">Figure 4-8</a>.</p> 714 715<div class="figure"><a name="samba2-CHP-4-FIG-8"/><img src="figs/sam2_0408.gif"/></div><h4 class="head4">Figure 4-8. The Identification Changes dialog</h4> 716 717<p>Click the radio button labeled 718"Domain:" and fill in the name of 719your domain in the text-entry area. Then click the OK button. This 720will bring up the Domain Username and Password dialog box. Enter 721"root" for the username. For the 722password, use the password that you gave to 723<em class="emphasis">smbpasswd</em> for the root account.</p> 724<a name="samba2-CHP-4-NOTE-108"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 725<p>If Windows complains that you are already logged in, you probably 726have an active connection to a share in the workgroup (such as a 727mapped network drive). Disconnect the resource temporarily by 728right-clicking its icon and choosing the Disconnect pop-up menu item.</p> 729</blockquote> 730 731<p>After you press the OK button, Windows should present you with a 732small dialog box welcoming you to the domain. When you click the OK 733button in this dialog box, you will be told that you need to reboot 734the computer. Click the OK button in the System Properties dialog 735box, and reboot the computer as requested. When the system comes up 736again, the machine will automatically present you with a Log On to 737Windows dialog box similar to the one shown in <a href="ch04.html#samba2-CHP-4-FIG-9">Figure 4-9</a>.</p> 738 739<div class="figure"><a name="samba2-CHP-4-FIG-9"/><img src="figs/sam2_0409.gif"/></div><h4 class="head4">Figure 4-9. The Windows 2000 logon window</h4> 740 741<p>If you do not see the Log on to: drop-down menu, click the Options 742<< button and it will appear. Select your domain, rather than 743the local computer, from the menu.</p> 744<a name="samba2-CHP-4-NOTE-109"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 745<p>Be sure to select the correct domain in the logon dialog box. Once it 746is selected, it might take a moment for Windows to build the list of 747available domains.</p> 748</blockquote> 749 750<p>Enter the username and password of any Samba-enabled user in the User 751name: and Password: fields, and either press the Enter key or click 752the OK button. If it worked, your Windows session will start up with 753no error dialogs. <a name="INDEX-66"/><a name="INDEX-67"/></p> 754 755 756</div> 757 758 759<div class="sect2"><a name="samba2-CHP-4-SECT-3.5"/> 760 761<h3 class="head2">Windows XP Home</h3> 762 763<p><a name="INDEX-68"/>You have our 764condolences if you are trying to use the Home edition of Windows XP 765in a domain environment! Microsoft has omitted support for Windows NT 766domains from Windows XP Home, resulting in a product that is 767ill-suited for use in a domain-based network.</p> 768 769<p>On the client side, Windows XP Home users cannot log on to a Windows 770NT domain. Although it is still possible to access domain resources, 771a username and password must be supplied each time the user connects 772to a resource, rather than the "single 773signon" of a domain logon. Domain features such as 774logon scripts and roaming profiles are not supported.</p> 775 776<p>As a server, Windows XP Home cannot join a Windows NT domain as a 777domain member server. It can serve files and printers, but only using 778share-mode ("workgroup") security. 779It can't even use user-mode security, as Windows 78095/98/Me can.</p> 781 782<p>Considering these limitations, we do not recommend Windows XP Home 783for any kind of local area network computing.</p> 784 785 786</div> 787 788 789<div class="sect2"><a name="samba2-CHP-4-SECT-3.6"/> 790 791<h3 class="head2">Windows XP Professional</h3> 792 793<p><a name="INDEX-69"/><a name="INDEX-70"/>To configure Windows XP 794Professional for domain logons, log in to the computer as 795Administrator or another user in the Administrators group, open the 796Control Panel in Classic View, and double-click the System icon to 797open the System Properties dialog box. Click the Computer Name tab 798and then click the Change... button. You should now see the Computer 799Name Changes dialog box shown in <a href="ch04.html#samba2-CHP-4-FIG-10">Figure 4-10</a>.</p> 800 801<div class="figure"><a name="samba2-CHP-4-FIG-10"/><img src="figs/sam2_0410.gif"/></div><h4 class="head4">Figure 4-10. The Computer Name Changes dialog</h4> 802 803<p>Click the radio button labeled 804"Domain:", and fill in the name of 805your domain in the text-entry area. Then click the OK button. This 806will bring up the Domain Username and Password dialog box. Enter 807"root" for the username. For the 808password, use the password that you gave to 809<em class="emphasis">smbpasswd</em> for the root account.</p> 810<a name="samba2-CHP-4-NOTE-110"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 811<p>If Windows complains that you are already logged in, you probably 812have an active connection to a share in the workgroup (such as a 813mapped network drive). Disconnect the resource temporarily by 814right-clicking its icon and choosing the Disconnect pop-up menu item.</p> 815</blockquote> 816 817<p>After you press the OK button, Windows should present you with a 818small dialog box welcoming you to the domain. When you click the OK 819button in this dialog box, you will be told that you need to reboot 820the computer to put the changes into effect. Click the OK buttons in 821the dialog boxes to close them, and reboot the computer as requested. 822When the system comes up again, the machine will automatically 823present you with a Log On to Windows dialog box similar to the one 824shown in <a href="ch04.html#samba2-CHP-4-FIG-11">Figure 4-11</a>.</p> 825 826<div class="figure"><a name="samba2-CHP-4-FIG-11"/><img src="figs/sam2_0411.gif"/></div><h4 class="head4">Figure 4-11. The Windows XP logon window</h4> 827 828<p>If you get a dialog box at this point that tells you the domain 829controller cannot be found, the solution is to change a registry 830setting as follows.</p> 831 832<p>Open the Start Menu and click the Run... menu item. In the text area 833in the dialog box that opens, type in 834"regedit" and click the OK button 835to start the Registry Editor. You will be editing the registry, so 836follow the rest of the directions very carefully. Click the 837"<tt class="literal">+</tt>" button next 838to the HKEY_LOCAL_MACHINE folder, and in the contents that open up, 839click the "<tt class="literal">+</tt>" 840button next to the SYSTEM folder. Continue in the same manner to open 841CurrentControlSet, then Services, then Netlogon. (You will have to 842scroll down many times to find Netlogon in the list of services.) 843Then click the Parameters folder, and you will see items appear in 844the right side of the window. Double-click 845"requiresignorseal", and a dialog 846box will open. In the Value data: text area, change the 847"1" to a 848"0" (zero), and click the OK 849button, which modifies the registry both in memory and on disk. Now 850close the Registry Editor and log off and back on again.</p> 851 852<p>If you do not see the Log on to: drop-down menu, click the Options 853<< button and it will appear. Select your domain from the menu, 854rather than the local computer.</p> 855<a name="samba2-CHP-4-NOTE-111"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 856<p>Be sure to select the correct domain in the logon dialog box. Once it 857is selected, it might take a moment for Windows to build the list of 858available domains.</p> 859</blockquote> 860 861<p>Enter the username and password of any Samba-enabled user in the User 862name: and Password: fields, and either press the Enter key or click 863the OK button. If it worked, your Windows session will start up with 864no error dialogs. <a name="INDEX-71"/> <a name="INDEX-72"/><a name="INDEX-73"/></p> 865 866 867</div> 868 869 870</div> 871 872 873 874<div class="sect1"><a name="samba2-CHP-4-SECT-4"/> 875 876<h2 class="head1">Logon Scripts</h2> 877 878<p><a name="INDEX-74"/>After a Windows client connects with a 879domain controller (either to authenticate a user, in the case of 880Windows 95/98/Me, or to log on to the domain, in the case of Windows 881NT/2000/XP), the client downloads an MS-DOS batch file to run. The 882domain controller supplies the file assuming one has been made 883available for it. This batch file is the logon script and is useful 884in setting up an initial environment for the user.</p> 885 886<p>In a Unix environment, the ability to run such a script might lead to 887a very complex initialization and deep customization. However, the 888Windows environment is mainly oriented to the GUI, and the 889command-line functions are more limited. Most commonly, the logon 890script is used to run a <em class="emphasis">net</em> command, such as 891<em class="emphasis">net use</em><a name="INDEX-75"/>, to connect a network drive letter, 892like this:</p> 893 894<blockquote><pre class="code">net use T: \\toltec\test</pre></blockquote> 895 896<p>This command will make our <tt class="literal">[test]</tt> share (from 897<a href="ch02.html">Chapter 2</a>) show up as the T: drive in My Computer. 898This will happen automatically, and T: will be available to the user 899at the beginning of her session, instead of requiring her to run the 900<em class="emphasis">net use</em> command or connect the T: drive using 901the Map Network Drive function of Windows Explorer.</p> 902 903<p>Another useful command is:</p> 904 905<blockquote><pre class="code">net use H: /home</pre></blockquote> 906 907<p>which <a name="INDEX-76"/><a name="INDEX-77"/>connects the 908user's home directory to a drive letter (which can 909be H:, as shown here, or some other letter, as defined by 910<tt class="literal">logon</tt> <tt class="literal">drive</tt>). For this to work, 911you must have a <tt class="literal">[homes]</tt> share defined in your 912<em class="filename">smb.conf</em> file.</p> 913 914<p>If you are using <a name="INDEX-78"/><a name="INDEX-79"/>roaming profiles, you should definitely 915have:</p> 916 917<a name="INDEX-80"/><blockquote><pre class="code">net time \\<em class="replaceable">toltec</em> /set /yes</pre></blockquote> 918 919<p>in your logon script. (As usual, replace 920"toltec" with the name of your 921Samba PDC.) This will make sure the clocks of the Windows clients are 922synchronized with the PDC, which is important for roaming profiles to 923work correctly.</p> 924 925 926<div class="sect2"><a name="samba2-CHP-4-SECT-4.1"/> 927 928<h3 class="head2">Creating a Logon Script</h3> 929 930<p><a name="INDEX-81"/>In our 931<em class="filename">smb.conf</em> file, we have the line:</p> 932 933<a name="INDEX-82"/><blockquote><pre class="code">logon script = logon.bat</pre></blockquote> 934 935<p>This defines the location and name of the logon script batch file on 936the Samba server. The path is relative to the 937<tt class="literal">[netlogon]</tt><a name="INDEX-83"/> share, defined later in the 938file like this:</p> 939 940<blockquote><pre class="code">[netlogon] 941 path = /usr/local/samba/lib/netlogon 942 writable = no 943 browsable = no</pre></blockquote> 944 945<p>With this example, the logon script is 946<em class="filename">/user/local/samba/lib/netlogon/logon.bat</em>. We 947include the directives <tt class="literal">writable</tt> 948<tt class="literal">=</tt> <tt class="literal">no</tt>, to make sure network 949clients cannot change anything in the <tt class="literal">[netlogon]</tt> 950share, and also <tt class="literal">browsable</tt> <tt class="literal">=</tt> 951<tt class="literal">no</tt>, which keeps them from even seeing the share 952when they browse the contents of the server. Nothing in 953<tt class="literal">[netlogon]</tt> should ever be modified by 954nonadministrative users. Also, the permissions on the directory for 955<tt class="literal">[netlogon]</tt> should be set appropriately (no write 956permissions for "other" users), as 957we showed you earlier in this chapter.</p> 958 959<p>Notice also that the extension of our logon script is 960<em class="filename">.bat</em><a name="INDEX-84"/>. Be careful about this—an extension 961of <em class="filename">.cmd</em><a name="INDEX-85"/> will work for Windows NT/2000/XP clients, 962but will result in errors for Windows 95/98/Me clients, which do not 963recognize <em class="filename">.cmd</em> as an extension for batch files.</p> 964 965<p>Because the logon script will be executed on a Windows system, it 966must be in MS-DOS text-file format, with the end of line composed of 967a carriage return followed by a linefeed. The Unix convention is a 968newline, which is simply a linefeed character, so if you use a Unix 969text editor to create your logon script, you must somehow make it use 970the appropriate characters. With 971<em class="emphasis">vim</em><a name="INDEX-86"/><a name="INDEX-87"/> (a clone of the <em class="emphasis">vi</em> 972editor that is distributed with Red Hat Linux), the method is to 973create a new file and use the command:</p> 974 975<blockquote><pre class="code">:se ff=dos</pre></blockquote> 976 977<p>to set the file format to MS-DOS style before typing in any text. 978With <em class="emphasis">emacs</em><a name="INDEX-88"/>, the same can be done using the command:</p> 979 980<blockquote><pre class="code">^X <em class="replaceable">Enter</em> f dos <em class="replaceable">Enter</em></pre></blockquote> 981 982<p>where <tt class="literal">^X</tt> is a Control-X character and 983<tt class="literal">Enter</tt> is a press of the Enter key. Another method 984is to create a Unix-format file in any text editor and then convert 985it to MS-DOS format using the 986<em class="emphasis">unix2dos</em><a name="INDEX-89"/> program:</p> 987 988<blockquote><pre class="code">$ <tt class="userinput"><b>unix2dos unix_file >logon.bat</b></tt></pre></blockquote> 989 990<p>If your system does not have <em class="emphasis">unix2dos</em>, 991don't worry. You can implement it yourself with the 992following two-line Perl script:</p> 993 994<blockquote><pre class="code">#!/usr/bin/perl 995open FILE, $ARGV[0]; 996while (<FILE>) { s/$/\r/; print }</pre></blockquote> 997 998<p>Or, you can use Notepad on a Windows system to write your script and 999then drag the logon script over to a folder on the Samba server. In 1000any case, you can <a name="INDEX-90"/>check the format of your script using 1001the <em class="emphasis">od</em><a name="INDEX-91"/> command, like this:</p> 1002 1003<blockquote><pre class="code">$ <tt class="userinput"><b>od -c logon.bat</b></tt></pre></blockquote> 1004 1005<p>You should see output resembling this:</p> 1006 1007<blockquote><pre class="code">0000000 n e t u s e T : \ \ t o l 10080000020 t e c \ t e s t \r \n 10090000032</pre></blockquote> 1010 1011<p>The important detail here is that at the end of each line is a 1012<tt class="literal">\r</tt> <tt class="literal">\n</tt>, which is a carriage 1013return followed by a linefeed.</p> 1014 1015<p>Our example logon script, containing a single <em class="emphasis">net 1016use</em> command, was created and set up in a way that allows 1017it to be run successfully on any Windows client, regardless of which 1018Windows version is installed on the client and which user is 1019authenticating or logging on to the domain. But what if we need to 1020have different users, computers, or Windows versions running 1021different logon scripts?</p> 1022 1023<p>One method is to use variables inside the <a name="INDEX-92"/>logon script that cause commands to be 1024conditionally executed. For details on how to do this, you can 1025consult a reference on batch-file programming for MS-DOS and Windows 1026NT command language. One such reference is <em class="citetitle">Windows NT 1027System Administration</em>, published by 1028O'Reilly.</p> 1029 1030<p>Windows batch-command language is very limited in functionality. 1031Fortunately, Samba also supports a means by which customization can 1032be handled. The 1033<em class="filename">smb.conf</em><a name="INDEX-93"/><a name="INDEX-94"/> file contains variables that can be 1034used to insert (at runtime) the name of the server 1035(<tt class="literal">%L</tt><a name="INDEX-95"/>), the username of the person who is 1036accessing the server's resources 1037(<tt class="literal">%u</tt><a name="INDEX-96"/>), or the computer name of the client 1038system (<tt class="literal">%m</tt><a name="INDEX-97"/>). To give an example, if we set up the 1039path to the logon script as:</p> 1040 1041<blockquote><pre class="code">logon script = %u/logon.bat</pre></blockquote> 1042 1043<p>we would then put a directory for each user in the 1044<tt class="literal">[netlogon]</tt> share, with each directory named the 1045same as the user's username, and in each directory 1046we would put a customized <em class="filename">logon.bat</em> file. Then 1047each user would have his own custom logon script. We will give you a 1048better example of how to do this kind of thing in the next section, 1049<a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a>.</p> 1050 1051<a name="samba2-CHP-4-NOTE-112"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 1052<p>For more information on Samba configuration file variables, such as 1053the <tt class="literal">%L</tt>, <tt class="literal">%u</tt>, and 1054<tt class="literal">%m</tt> variables we just used, see <a href="ch06.html">Chapter 6</a> and <a href="appb.html">Appendix B</a>.</p> 1055</blockquote> 1056 1057<p>When modifying and testing your logon script, don't 1058just log off of your Windows session and log back on to make your 1059script run. Instead, restart (reboot) your system before logging back 1060on. Because Windows often keeps the <tt class="literal">[netlogon]</tt> 1061share open across logon sessions, the reboot ensures that Windows and 1062Samba have completely released and reconnected the 1063<tt class="literal">[netlogon]</tt> share, and the new version of the logon 1064script is being run while logging on.</p> 1065 1066<p>More information regarding <a name="INDEX-98"/>logon scripts can be found in the 1067O'Reilly book, <em class="emphasis">Managing Windows NT 1068Logons</em>. <a name="INDEX-99"/> <a name="INDEX-100"/><a name="INDEX-101"/></p> 1069 1070 1071</div> 1072 1073 1074</div> 1075 1076 1077 1078<div class="sect1"><a name="samba2-CHP-4-SECT-5"/> 1079 1080<h2 class="head1">Roaming Profiles</h2> 1081 1082<p><a name="INDEX-102"/>One benefit of the centralized 1083authentication of Windows NT domains is that a user 1084<a name="INDEX-103"/>can log on from more than just one 1085computer. To help users feel more "at 1086home" when logged on at a computer other than their 1087usual one, Microsoft has added the ability for 1088users' personal settings to 1089"roam" from one computer to 1090another.</p> 1091 1092<p>All Windows versions can be configured individually for each user of 1093the computer. Windows NT/2000/XP supports the ability to handle 1094multiple user accounts, and Windows 95/98/Me can be configured for 1095use by multiple users, keeping the configuration settings for each 1096user separate. Each user can configure the 1097computer's settings to her liking, and the system 1098saves these settings as the user's 1099<em class="firstterm">profile</em>, such that upon logging on to the 1100system, the user is presented with her familiar desktop.</p> 1101 1102<p>Some of the settings, such as folder options or the image used for 1103the desktop background, are held in the registry. Others, including 1104the documents and folders appearing on the desktop and the contents 1105of the Start menu, are stored as folders and files in the filesystem.</p> 1106 1107<p>When the profile is stored on the local system, it is called a 1108<em class="firstterm">local profile</em><a name="INDEX-104"/>. On Windows NT, local profiles are 1109stored in <em class="filename">C:\winnt\profiles</em>. On Windows 2000/XP, 1110they can be found in <em class="filename">C:\Documents and Settings. 1111</em>On Windows 95/98/Me, when configured for a single user 1112(the default case), the local profile is scattered in places such as 1113the registry and directories such as 1114<em class="filename">C:\Windows\Desktop</em> and 1115<em class="filename">C:\Windows\Start Menu</em>. When Windows 95/98/Me is 1116configured for multiple users, the local profile of the preexisting 1117user is moved to a folder in <em class="filename">C:\Windows\Profiles</em> 1118that has the same name as the user, and any users that are 1119subsequently added to the computer have their local profiles created 1120in that directory as well. You can browse through the local profiles 1121to see their structure—each has a <a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><a name="INDEX-108"/><a name="INDEX-109"/>registry file 1122(<em class="filename">USER.DAT</em><a name="INDEX-110"/><a name="INDEX-111"/> for Windows 95/98/Me and 1123<em class="filename">NTUSER.DAT</em><a name="INDEX-112"/><a name="INDEX-113"/> for Windows NT/2000/XP) and some folders 1124that contain shortcuts and documents.</p> 1125 1126<p>A roaming profile is a user profile that is stored on a server and 1127"follows" its owner around the 1128network so that when the user logs on to the domain from another 1129computer, his profile is downloaded from the server and his familiar 1130desktop appears on that computer as well.</p> 1131<a name="samba2-CHP-4-NOTE-113"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 1132<p><a name="INDEX-114"/>Samba can 1133support roaming profiles, and it is a fairly simple matter to 1134configure it for them. However, this is one feature that we recommend 1135you <em class="emphasis">do not</em> use, at least until you are sure you 1136understand roaming profiles well and are very confident that you can 1137implement them with no harm incurred. If you want to (or are required 1138to) implement roaming profiles for your Windows clients, we suggest 1139you first set up a small domain with a Samba server and a few Windows 1140clients exclusively for the purposes of research and testing. 1141<em class="emphasis">Under no circumstances should you attempt to implement 1142roaming profiles in a careless or frivolous manner</em>.</p> 1143</blockquote> 1144 1145 1146<div class="sect2"><a name="samba2-CHP-4-SECT-5.1"/> 1147 1148<h3 class="head2">How Roaming Profiles work</h3> 1149 1150<p><a name="INDEX-115"/>We will start out by explaining to you 1151how roaming profiles work when set up correctly. You will need a 1152clear understanding of them to tell the difference between when they 1153are working as they are designed and when they are not. In addition, 1154roaming profiles can be a source of confusion for your users in many 1155ways, and you should know how to detect when a problem with a client 1156is related to roaming profile function or dysfunction.</p> 1157 1158<a name="samba2-CHP-4-NOTE-114"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 1159<p><a name="INDEX-116"/>A definitive source of 1160documentation on Windows NT roaming profiles is the Microsoft white 1161paper <em class="citetitle">Implementing Policies and Profiles for Windows NT 11624.0</em><a name="INDEX-117"/>, which can be found at 1163<a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p> 1164</blockquote> 1165 1166<p>During the domain logon process, the roaming profile is copied from 1167the domain controller and used as a local profile during the 1168user's logon session. When the user logs off the 1169domain, the local profile is copied back to the domain controller and 1170stored as the new roaming profile. When the local profile is changed, 1171the server does not receive an update until the user logs off the 1172domain or shuts down or reboots the client. The client does not send 1173an update to the server during the logon session, and a client does 1174not receive an update of a setting changed on another client during a 1175logon session. When the user does log off, changes in the 1176configuration settings in the local profile are sent to the server, 1177and the updates of the roaming profile are available for the next 1178logon session.</p> 1179 1180<p>This simple behavior can lead to unexpected results when users are 1181<a name="INDEX-118"/>logged on to the domain 1182on more than one client at a time. If a user makes a change to the 1183configuration settings on one client and then logs off, the settings 1184can result in the roaming profile being modified accordingly. But the 1185next client that logs off might cause those changes to be 1186overwritten, and if so, the settings from the first client will be 1187lost. The behavior of different Windows versions varies with regard 1188to this, and we've seen a wide variety of 1189behaviors—not always in alignment with 1190Microsoft's documentation or even working the same 1191way on separate occasions. Sometimes Windows will refuse to overwrite 1192a profile, perhaps giving an "access 1193denied" error, and at other times it will seem to 1194work while producing odd side effects. A common source of confusion 1195is what happens if a file is added to or deleted from the desktop, 1196which is by default configured to be part of the profile. A deleted 1197file might later reappear, and it is even possible for a file to 1198irrecoverably disappear without warning (on Windows 95/98). Or maybe 1199a file that is added to the desktop on one client never gets added to 1200the roaming profile and fails to propagate to other clients. This 1201behavior is somewhat improved on Windows 2000/XP, which attempts to 1202merge items into the profile that are added on concurrently logged-on 1203clients.</p> 1204 1205<p>One factor that comes into play is that Windows compares the 1206<a name="INDEX-119"/>timestamps of the local and roaming 1207profiles and can refuse to overwrite a roaming profile if it is newer 1208than the local profile on the client, or vice versa. For this reason, 1209it is important to keep the clocks of the Windows clients and the 1210Samba PDC synchronized. We have already shown you how to do this, 1211using the <em class="emphasis">net time 1212\\</em><em class="replaceable">server</em> 1213<em class="emphasis">/set</em> <em class="emphasis">/yes</em> command in the 1214logon script.</p> 1215 1216<p><a name="INDEX-120"/>Even when the server and clients are 1217correctly configured, a number of things that can happen make things 1218seem "broken." The most common 1219occurrence is that some shortcuts on clients other than the one that 1220created the roaming profile will not work. These shortcuts can exist 1221on the desktop or as items in the Start menu. This behavior is a 1222result of applications or files that exist on one computer but not 1223others. Windows will display these shortcuts, but if they appear on 1224the desktop, they will have a generic icon and will bring up an error 1225message if a user double-clicks them.</p> 1226 1227<a name="samba2-CHP-4-NOTE-115"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 1228<p>Because profiles can and usually do include the contents of the 1229desktop and other folders, it is possible for the roaming profile to 1230grow to a huge size due to actions of a user, such as creating new 1231files on the desktop or copying files there. By default, Internet 1232Explorer keeps its disk cache in the <em class="filename">Temporary Internet 1233Files</em><a name="INDEX-121"/><a name="INDEX-122"/> folder in the profile and has been 1234known to populate this directory with thousands of files. This can 1235result in a huge roaming profile that causes network congestion and 1236very large delays while users are logging on to the domain. (A fix 1237for this can be found in article Q185255 in the Microsoft Knowledge 1238Base.)</p> 1239</blockquote> 1240 1241<p>One behavior we've seen a few times is that if, for 1242some reason (e.g., a network error or misconfiguration), the roaming 1243profile is not available during the logon process, Windows will use 1244the local profile on the client instead. When this happens, the user 1245might receive an unfamiliar profile, and all the benefits of roaming 1246profiles are lost for that logon session.</p> 1247 1248 1249</div> 1250 1251 1252<div class="sect2"><a name="samba2-CHP-4-SECT-5.2"/> 1253 1254<h3 class="head2">Configuring Samba for Roaming Profiles</h3> 1255 1256<p><a name="INDEX-123"/><a name="INDEX-124"/>In an ideal world, different Windows 1257versions would share the same roaming profile, allowing users to log 1258on to the domain from any Windows client system, ranging from Windows 125995 to Windows XP, and enjoy their familiar settings. It would even be 1260possible to be logged on concurrently from multiple clients, and a 1261change made to the profile on any of them would quickly propagate to 1262all the others. Settings in a roaming profile made on a client that 1263didn't apply to another would be handled sanely.</p> 1264 1265<p>Unfortunately, this scenario does not work in reality, and it is 1266important to maintain separate roaming profiles to prevent different 1267Windows versions from using or modifying a roaming profile created 1268by, and/or in use by, another version.</p> 1269 1270<p>We do this by using configuration file variables to point to 1271different profile directories. If you look at <a href="appb.html#samba2-APP-B-TABLE-1">Table B-1</a> in <a href="appb.html#samba2-APP-B#samba2-APP-B">Appendix B</a>, which shows 1272the variables that can be used, you might be tempted to use the 1273<a name="INDEX-125"/><tt class="literal">%a</tt> variable, which 1274is replaced by the name of the operating system the client is 1275running. However, this does not work because all of Windows 95/98/Me 1276will be seen as the same operating system, and likewise for Windows 12772000/XP. So, we use <a name="INDEX-126"/><tt class="literal">%m</tt> to get the 1278NetBIOS name of the client, and combine that with a symbolic link to 1279point to the directory containing the profile for the Windows version 1280that particular client is running.</p> 1281 1282<p>Our additions to <em class="filename">smb.conf</em> that appeared earlier 1283in this chapter included the two lines:</p> 1284 1285<blockquote><pre class="code">logon path = \\%L\profiles\%u\%m 1286logon home = \\%L\%u\.win_profile\%m</pre></blockquote> 1287 1288<p>The first line specifies where the roaming profiles for Windows 1289NT/2000/XP clients are kept, and the second line performs the same 1290function for Windows 95/98/Me clients. In both cases, the location is 1291specified as a UNC, but 1292<tt class="literal">logon</tt><a name="INDEX-127"/> <tt class="literal">path</tt> (for Windows 1293NT/2000/XP) is specified relative to the 1294<tt class="literal">[profiles]</tt> share, while 1295<tt class="literal">logon</tt><a name="INDEX-128"/> <tt class="literal">home</tt> (for Windows 129695/98/Me) is specified relative to the user's home 1297directory. This is done to comply with Samba's 1298emulation of Windows NT/2000 PDC behavior.</p> 1299 1300<p>The <tt class="literal">logon</tt> <tt class="literal">home</tt> UNC must begin 1301by specifying the user's home directory, which in 1302our previous example would be <tt class="literal">\\%L\%u</tt>. The 1303variable <tt class="literal">%L</tt><a name="INDEX-129"/> expands to the NetBIOS name of the 1304server (in this case, toltec), and 1305<tt class="literal">%u</tt><a name="INDEX-130"/> expands to the name of the user. This 1306must be done to allow the command:</p> 1307 1308<a name="INDEX-131"/><blockquote><pre class="code">C:\><tt class="userinput"><b>net use h: /home</b></tt></pre></blockquote> 1309 1310<p>to function correctly to connect the user's home 1311directory to drive letter H: on all Windows clients. (The drive 1312letter used for this purpose is defined by <tt class="literal">logon</tt> 1313<tt class="literal">drive</tt>.) We add the directory 1314<em class="filename">.win_profile</em><a name="INDEX-132"/> to the UNC to put the Windows 131595/98/Me roaming profile in a subdirectory of the 1316user's home directory.</p> 1317<a name="samba2-CHP-4-NOTE-116"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 1318<p>Note that in both <tt class="literal">logon path</tt> and <tt class="literal">logon 1319home</tt>, we absolutely avoid making the profile directory the 1320same as the user's home directory, and the directory 1321that contains the profile is not used for any other purpose. This is 1322because when the roaming profile is updated, all directories and 1323files in the roaming-profile directory that are not part of the 1324roaming profile are deleted.</p> 1325</blockquote> 1326 1327<p>In the <tt class="literal">logon</tt> <tt class="literal">path</tt> line in 1328<em class="filename">smb.conf</em>, we use <tt class="literal">%u</tt> to put 1329the profiles directory in a subdirectory in the 1330<tt class="literal">[profiles]</tt> share, such that each user gets her own 1331directory that holds her roaming profiles.</p> 1332 1333<p>We define the <tt class="literal">[profiles]</tt> share like this:</p> 1334 1335<blockquote><pre class="code">[profiles] 1336 writable = yes 1337 create mask = 0600 1338 directory mask = 0700 1339 browsable = no 1340 path = /home/samba-ntprof</pre></blockquote> 1341 1342<p>The first four parameters in the previous share definition specify to 1343allow roaming profiles to be written with the users' 1344permissions, to create files with read and write permissions for the 1345owner, and to create directories with read, write, and search 1346permissions for the owner and no access allowed for other users. As 1347with the <tt class="literal">[netlogon]</tt> share, we set 1348<tt class="literal">browsable</tt> <tt class="literal">=</tt> 1349<tt class="literal">no</tt> so that the share will not show up on the 1350clients in Windows Explorer.</p> 1351 1352<p>We've decided to put our Windows NT/2000/XP profiles 1353in <em class="filename">/home</em>, the default location of the home 1354directories on Linux. This will make it simple to include the roaming 1355profiles in backups of the home directories. You can use another 1356directory if you like.</p> 1357 1358<p>Notice that in both <tt class="literal">logon</tt> <tt class="literal">path</tt> 1359and <tt class="literal">logon</tt> <tt class="literal">home</tt>, the directory 1360we specify ends in <tt class="literal">%m</tt>, which Samba replaces with 1361the NetBIOS name of the client. We are using the 1362client's computer name to identify indirectly which 1363version of Windows it is running.</p> 1364 1365<p>Initially, the directories you specify to hold the roaming profiles 1366will be empty and will become populated as clients log off for the 1367first time. (Samba will even create the directories if they do not 1368already exist.) At first, the directories will simply contain 1369profiles that are identical to the clients' local 1370profiles, and we highly recommend that you make a backup at this 1371point before things get complicated. A listing of the roaming profile 1372directory for user <tt class="literal">iman</tt>, after she has logged off 1373from Windows 98 clients <tt class="literal">mixtec</tt> and 1374<tt class="literal">pueblo</tt> and Windows Me clients 1375<tt class="literal">huastec</tt> and <tt class="literal">navajo</tt>, might look 1376something like the following:</p> 1377 1378<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt> 1379total 4 1380drwx------ 6 iman iman 4096 Dec 8 18:09 huastec 1381drwx------ 9 iman iman 4096 Dec 7 03:47 mixtec 1382drwx------ 11 iman iman 4096 Dec 7 03:05 navajo 1383drwx------ 11 iman iman 4096 Dec 7 03:05 pueblo</pre></blockquote> 1384 1385<p>If things were left like this, the clients would not share their 1386roaming profiles, so next we change from using separate directories 1387to having symbolic links point to common directories:</p> 1388 1389<blockquote><pre class="code"># <tt class="userinput"><b>mv mixtec Win98</b></tt> 1390# <tt class="userinput"><b>mv navajo WinMe</b></tt> 1391# <tt class="userinput"><b>rm huastec pueblo</b></tt> 1392# <tt class="userinput"><b>ln -s Win98 pueblo</b></tt> 1393# <tt class="userinput"><b>ln -s WinMe huastec</b></tt> 1394# <tt class="userinput"><b>chown iman:iman *</b></tt> 1395# <tt class="userinput"><b>ls -l /home/iman/.win_profile</b></tt> 1396total 6 1397lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 huastec -> WinMe 1398lrwxrwxrwx 1 iman iman 5 Nov 16 01:40 mixtec -> Win98 1399lrwxrwxrwx 1 iman iman 5 Nov 21 17:24 navajo -> WinMe 1400lrwxrwxrwx 1 iman iman 5 Nov 23 01:16 pueblo -> Win98 1401drwx------ 9 iman iman 4096 Dec 7 03:47 Win98 1402drwx------ 11 iman iman 4096 Dec 7 03:05 WinMe</pre></blockquote> 1403 1404<p>Now when <tt class="literal">iman</tt> logs on to the domain from either 1405Windows 98 system, the client from which she is logging on will get 1406the profile stored in the <em class="filename">Win98</em> directory (that 1407started out as her local profile on <tt class="literal">mixtec</tt>). This 1408works likewise for the Windows Me clients.</p> 1409 1410<p>To show a more complete example, here is a listing of a fully 1411operational Windows 95/98/Me profiles directory:</p> 1412 1413<a name="INDEX-133"/><blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/jay/.win_profile</b></tt> 1414total 12 1415lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 aztec -> /home/jay 1416lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 hopi -> Win95 1417lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 huastec -> WinMe 1418lrwxrwxrwx 1 jay jay 5 Nov 16 01:38 maya -> Win98 1419lrwxrwxrwx 1 jay jay 5 Nov 16 01:40 mixtec -> Win98 1420lrwxrwxrwx 1 jay jay 5 Nov 21 17:24 navajo -> WinMe 1421lrwxrwxrwx 1 jay jay 5 Nov 23 01:16 pueblo -> Win98 1422lrwxrwxrwx 1 jay jay 5 Nov 22 02:06 ute -> Win95 1423drwx------ 6 jay jay 4096 Dec 8 18:09 Win95 1424drwx------ 9 jay jay 4096 Dec 7 03:47 Win98 1425drwx------ 11 jay jay 4096 Dec 7 03:05 WinMe 1426lrwxrwxrwx 1 jay jay 5 Nov 21 22:48 yaqui -> Win98 1427lrwxrwxrwx 1 jay jay 9 Nov 16 22:14 zuni -> /home/jay</pre></blockquote> 1428 1429<p>Again, the computer name of each client exists in this directory as a 1430symbolic link that points to the directory containing the actual 1431roaming profile. For example, <tt class="literal">maya</tt>, a client that 1432runs Windows 98, has a symbolic link named <em class="filename">maya</em> 1433to the <em class="filename">Win98</em> directory. A listing of 1434<em class="filename">Win98</em> shows:</p> 1435 1436<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l Win98</b></tt> 1437total 148 1438drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Application Data 1439drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 Cookies 1440drwxr-xr-x 3 jay jay 4096 Dec 7 03:47 Desktop 1441drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 History 1442drwxr-xr-x 2 jay jay 4096 Nov 23 01:30 NetHood 1443drwxr-xr-x 2 jay jay 4096 Dec 7 03:47 Recent 1444drwxr-xr-x 3 jay jay 4096 Nov 23 01:30 Start Menu 1445-rw-r--r-- 1 jay jay 114720 Dec 7 03:46 USER.DAT</pre></blockquote> 1446 1447<p>The contents of the <em class="filename">Win95</em> and 1448<em class="filename">WinMe</em> directories appear similar and contain 1449roaming profiles that work exactly as they should on their respective 1450operating systems.</p> 1451 1452<p>Notice in the previous listing that <em class="filename">aztec</em> and 1453<em class="filename">zuni</em> are symbolic links to 1454<em class="filename">/home/jay</em>. We've cautioned you 1455never to configure a roaming profile directory to be a 1456user's home directory, but this is to handle 1457something different. The clients <tt class="literal">aztec</tt> and 1458<tt class="literal">zuni</tt> are Windows XP systems, which handle 1459<tt class="literal">logon</tt> <tt class="literal">home</tt> differently than 1460other versions of Windows. We have set <tt class="literal">logon</tt> 1461<tt class="literal">home</tt> <tt class="literal">=</tt> 1462<tt class="literal">\\%L\%u\</tt>.<tt class="literal">win</tt> 1463<tt class="literal">profile</tt>, and all versions of Windows except for 1464Windows XP strip off everything after <tt class="literal">\\%L\%u</tt> and 1465correctly locate the home directory—in this case, 1466<em class="filename">/home/jay</em>. Windows XP uses the full UNC, so we 1467simply add a symbolic link to redirect it to the correct directory to 1468get the <em class="emphasis">net use H: /home</em> command to work as it 1469should. The roaming profiles for Windows XP systems are not affected 1470by this and are kept with the other roaming profiles in the Windows 1471NT/2000/XP family, as shown in this listing:</p> 1472 1473<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /home/samba-ntprof/jay</b></tt> 1474total 16 1475lrwxrwxrwx 1 jay jay 5 Nov 20 03:45 apache -> Win2K 1476lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 aztec -> WinXP 1477lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 dine -> WinNT 1478lrwxrwxrwx 1 jay jay 5 Nov 24 03:44 inca -> Win2K 1479lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 pima -> Win2K 1480drwx------ 13 jay jay 4096 Dec 3 15:24 qero 1481drwx------ 13 jay jay 4096 Dec 1 20:31 Win2K 1482drwx------ 12 jay jay 4096 Nov 30 17:04 WinNT 1483drwx------ 13 jay jay 4096 Nov 20 01:23 WinXP 1484lrwxrwxrwx 1 jay jay 5 Nov 20 06:09 yavapai -> WinXP 1485lrwxrwxrwx 1 jay jay 5 Nov 13 12:34 zapotec -> Win2K 1486lrwxrwxrwx 1 jay jay 5 Nov 13 12:35 zuni -> WinXP</pre></blockquote> 1487 1488<p>As you can see, we are using a similar method for the Windows 1489NT/2000/XP roaming profiles. In the listing, 1490<em class="filename">qero</em> is not a symbolic link, but rather a 1491directory that holds the roaming profile for <tt class="literal">qero</tt>, 1492a Windows 2000 client that has recently been added. We had not 1493created a symbolic link called <em class="filename">qero</em> before 1494installing Windows 2000, so when jay logged off for the first time, 1495Samba created a directory named <em class="filename">qero</em> and copied 1496the roaming profile received from the client to the new directory. 1497Because this is a separate directory from <em class="filename">Win2K</em>, 1498which all other Windows 2000 clients are using to share their roaming 1499profiles, the roaming profile for <tt class="literal">qero</tt> works like 1500a local profile, except that it is stored on the primary domain 1501controller.</p> 1502 1503<p>This might seem like an odd thing to do, but it has some purpose. 1504Sometimes you might wish to isolate a client in this manner, 1505especially while the operating system is being installed and 1506initially configured. Remember, if that client, with its default 1507local profile, is logged off the domain, the local profile will be 1508written to the roaming profile directory. If the client were using 1509the shared roaming profile directory, the effect could be 1510undesirable, to say the least. Using our method, the 1511<em class="filename">qero</em> directory can later be renamed to make it 1512into an archival backup, or it can just be deleted. Then a new 1513symlink named <em class="filename">qero</em> can be created to point to 1514the <em class="filename">Win2K</em> directory, and <tt class="literal">qero</tt> 1515will share the roaming profile in <em class="filename">Win2K</em> with the 1516other Windows 2000 clients.</p> 1517 1518<p>An alternative method is simply to create the 1519<a name="INDEX-134"/>symbolic 1520links before the clients are added to the network. After you become 1521more comfortable with the way roaming profiles work, you might find 1522this method to be simpler and quicker.</p> 1523 1524<p>Again, we urge you to be careful about letting different versions of 1525Windows share the same roaming profile. The method of configuring 1526roaming profiles we've shown you here allows you to 1527test a configuration for a few clients at a time without affecting 1528your whole network of clients. For example, we could install a small 1529number of Windows 2000 and Windows XP systems in the domain for 1530testing purposes and then create symlinks for them that point to a 1531directory called <em class="filename">Win2KXP</em> to find out if sharing 1532roaming profiles between our Windows 2000 and Windows XP systems 1533meets our expectations. The <em class="filename">Win2KXP</em> directory 1534could be created as an empty directory, in which case it would have a 1535roaming profile written to it by the first of the clients to log off. 1536Or, <em class="filename">Win2KXP</em> could simply be a renamed roaming 1537profile directory that was created by one of the clients when it was 1538added to the domain. <a name="INDEX-135"/><a name="INDEX-136"/></p> 1539 1540 1541</div> 1542 1543 1544<div class="sect2"><a name="samba2-CHP-4-SECT-5.3"/> 1545 1546<h3 class="head2">Configuring Windows 95/98/Me for Roaming Profiles</h3> 1547 1548<p><a name="INDEX-137"/><a name="INDEX-138"/>For roaming profiles to work on 1549Windows 95/98/Me clients, all you need to do is change one setting to 1550allow each user to have a separate local profile. This has the side 1551effect of enabling roaming profiles as well.</p> 1552 1553<p>Open the Control Panel and double-click the Passwords icon to open 1554the Passwords Properties dialog box. Click the User Profiles tab, and 1555the dialog box will appear as shown in <a href="ch04.html#samba2-CHP-4-FIG-12">Figure 4-12</a>.</p> 1556 1557<div class="figure"><a name="samba2-CHP-4-FIG-12"/><img src="figs/sam2_0412.gif"/></div><h4 class="head4">Figure 4-12. The Windows 98 Passwords Properties dialog</h4> 1558 1559<p>Click the button labeled "Users can customize their 1560preferences and desktop settings." In the User 1561profile settings box, you can check the options you prefer. When 1562done, click the OK button and reboot as requested. During this first 1563reboot, Windows will copy the local profile data to 1564<em class="filename">C:\windows\profiles</em> but will not attempt to copy 1565the roaming profile from the server. The next time the system is shut 1566down, the local profile will be copied to the server, and when 1567Windows reboots, it will copy the roaming profile from the server.</p> 1568 1569 1570</div> 1571 1572 1573<div class="sect2"><a name="samba2-CHP-4-SECT-5.4"/> 1574 1575<h3 class="head2">Configuring Windows NT/2000/XP for Roaming Profiles</h3> 1576 1577<p><a name="INDEX-139"/><a name="INDEX-140"/><a name="INDEX-141"/><a name="INDEX-142"/>Roaming profiles are enabled by 1578default on Windows NT/2000/XP. In case you would like to check or 1579modify your settings, follow these directions.</p> 1580 1581<p>Make sure you are logged in to the local system as Administrator or 1582another user in the Administrators group. Open the Control Panel and 1583double-click the System icon. On Windows NT/2000, click the User 1584Profiles tab, or on Windows XP, click the Advanced tab and then the 1585Settings button in the User Profiles box. You should see the dialog 1586box in <a href="ch04.html#samba2-CHP-4-FIG-13">Figure 4-13</a>.</p> 1587 1588<div class="figure"><a name="samba2-CHP-4-FIG-13"/><img src="figs/sam2_0413.gif"/></div><h4 class="head4">Figure 4-13. The Windows 2000 System Properties, User Profiles tab</h4> 1589 1590<p>Notice in the figure that there are two entries for the username 1591<tt class="literal">jay</tt>. The entry ZAPOTEC\jay refers to the account 1592on the local system, and METRAN\jay refers to the domain account. 1593Recall that when a user logs on, a drop-down menu in the dialog box 1594allows him to log on to a domain or log in to the local system. When 1595<tt class="literal">jay</tt> logs in to the local machine, only the local 1596profile is used. When logged on to the domain, the configuration 1597shown will use the roaming profile. To switch a 1598user's profile type for a domain logon account, 1599click the account name to select it, then click the Change Type... 1600button near the bottom of the dialog box. The Change Profile Type 1601dialog box will appear. Click the radio button for either roaming or 1602local profile, and then click the OK buttons for each dialog box.</p> 1603 1604 1605</div> 1606 1607 1608<div class="sect2"><a name="samba2-CHP-4-SECT-5.5"/> 1609 1610<h3 class="head2">Mandatory Profiles</h3> 1611 1612<p><a name="INDEX-143"/>With a simple 1613modification, a <a name="INDEX-144"/>roaming profile can be made into a 1614<a name="INDEX-145"/>mandatory 1615profile, which has the quality of being unmodifiable by its owner. 1616Mandatory profiles are used in some computing environments to 1617simplify administration. The theory is that if users cannot modify 1618their profiles, less can go wrong, and it is also possible to use the 1619same standardized profile for all users.</p> 1620 1621<p>In practice, some issues come up. Because the users can still modify 1622the configuration settings in their local profile during their logon 1623session, confusion can result the next time they log on to the domain 1624and discover their changes have been 1625"lost." If the user of a client 1626reinstalls an application in a different place, the shortcuts to the 1627program on the desktop, in the Start menu, or in a Quick Launch bar 1628cannot be permanently deleted. They will reappear every time the user 1629logs back on to the domain. Essentially, a mandatory profile is a 1630roaming profile that always fails to update to the server upon 1631logging off!</p> 1632 1633<p>Another complication is that different versions of Windows behave 1634differently with mandatory profiles. If a user who has a mandatory 1635profile creates a new file on her desktop, the file might be missing 1636the next time the user logs off and on again or reboots. Some Windows 1637versions preserve desktop files in the local profile (even if the 1638file does not exist in the mandatory profile), whereas others do not.</p> 1639 1640<p>To change a <a name="INDEX-146"/><a name="INDEX-147"/>roaming profile to a mandatory 1641profile, all you have to do is rename the 1642<em class="filename">.dat</em><a name="INDEX-148"/><a name="INDEX-149"/> file in the roaming profile directory 1643on the server to have a <em class="filename">.man</em> extension instead. 1644For a Windows 95/98/Me roaming profile, you would rename 1645<em class="filename">USER.DAT</em> to <em class="filename">USER.MAN</em>, and 1646for a Windows NT/2000/XP roaming profile, you would rename 1647<em class="filename">NTUSER.DAT</em> to <em class="filename">NTUSER.MAN</em>. 1648Also, you might want to make the roaming-profile directory and its 1649contents read-only, to make sure that a user can't 1650change it by logging into his Unix user account on the Samba host 1651system.</p> 1652 1653<p>If you want to have all your users share a mandatory profile, you can 1654change the definitions of <tt class="literal">logon</tt> 1655<tt class="literal">path</tt> and <tt class="literal">logon</tt> 1656<tt class="literal">home</tt> in your <em class="filename">smb.conf</em> file to 1657point to a shared mandatory profile on the server and adjust your 1658directory structure and symbolic links accordingly. For example, 1659<tt class="literal">logon</tt> <tt class="literal">path</tt> and 1660<tt class="literal">logon</tt> <tt class="literal">home</tt> might be defined 1661like this:</p> 1662 1663<blockquote><pre class="code">logon path = \\%L\profiles\%m 1664logon home = \\%L\%u\.win_profile\%m</pre></blockquote> 1665 1666<p>Notice that we've removed the <tt class="literal">%u</tt> 1667part of the path for <tt class="literal">logon</tt> 1668<tt class="literal">path</tt>, and we would also change the directory 1669structure on the server to do away with the separation of the 1670profiles by username and have just one profile for each Windows 1671NT/2000/XP version.</p> 1672 1673<p>We cannot use the same treatment for <tt class="literal">logon</tt> 1674<tt class="literal">home</tt> because it is also used to specify the home 1675directory. In this case, we would change the symbolic links in each 1676user's <em class="filename">.win_profile</em> directory 1677to point to a common mandatory profile directory containing the 1678mandatory profiles for each of Windows 95/98/Me. Again, check the 1679ownership and permissions on the files in the directory, and modify 1680them if necessary to make sure a user can't modify 1681any files by logging into her Unix account on the Samba host system.</p> 1682 1683 1684</div> 1685 1686 1687<div class="sect2"><a name="samba2-CHP-4-SECT-5.6"/> 1688 1689<h3 class="head2">Logon Script and Roaming-Profile Options</h3> 1690 1691<p><a href="ch04.html#samba2-CHP-4-TABLE-1">Table 4-1</a> summarizes the options commonly used in 1692association with Windows NT domain <a name="INDEX-150"/><a name="INDEX-151"/>logon 1693scripts and roaming profiles.</p> 1694 1695<a name="samba2-CHP-4-TABLE-1"/><h4 class="head4">Table 4-1. Logon-script options</h4><table border="1"> 1696 1697 1698 1699 1700 1701 1702<tr> 1703<th> 1704<p>Option</p> 1705</th> 1706<th> 1707<p>Parameters</p> 1708</th> 1709<th> 1710<p>Function</p> 1711</th> 1712<th> 1713<p>Default</p> 1714</th> 1715<th> 1716<p>Scope</p> 1717</th> 1718</tr> 1719 1720 1721<tr> 1722<td> 1723<p><tt class="literal">logon</tt> <tt class="literal">script</tt></p> 1724</td> 1725<td> 1726<p>string (MS-DOS path)</p> 1727</td> 1728<td> 1729<p>Name of logon script batch file</p> 1730</td> 1731<td> 1732<p>None</p> 1733</td> 1734<td> 1735<p>Global</p> 1736</td> 1737</tr> 1738<tr> 1739<td> 1740<p><tt class="literal">logon</tt> <tt class="literal">path</tt></p> 1741</td> 1742<td> 1743<p>string (UNC server and share name)</p> 1744</td> 1745<td> 1746<p>Location of roaming profile</p> 1747</td> 1748<td> 1749<p><tt class="literal">\\%N\%U\profile</tt></p> 1750</td> 1751<td> 1752<p>Global</p> 1753</td> 1754</tr> 1755<tr> 1756<td> 1757<p><tt class="literal">logon</tt> <tt class="literal">drive</tt></p> 1758</td> 1759<td> 1760<p>string (drive letter)</p> 1761</td> 1762<td> 1763<p>Specifies the logon drive for a home directory</p> 1764</td> 1765<td> 1766<p><tt class="literal">Z</tt>:</p> 1767</td> 1768<td> 1769<p>Global</p> 1770</td> 1771</tr> 1772<tr> 1773<td> 1774<p><tt class="literal">logon</tt> <tt class="literal">home</tt></p> 1775</td> 1776<td> 1777<p>string (UNC server and share name)</p> 1778</td> 1779<td> 1780<p>Specifies a location for home directories for clients logging on to 1781the domain</p> 1782</td> 1783<td> 1784<p><tt class="literal">\\%N\%U</tt></p> 1785</td> 1786<td> 1787<p>Global</p> 1788</td> 1789</tr> 1790 1791</table> 1792 1793 1794<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.1"/> 1795 1796<a name="INDEX-152"/><h3 class="head3">logon script</h3> 1797 1798<p>This option specifies a Windows batch file that will be executed on 1799the client after a user has logged on to the domain. Each logon 1800script should be stored in the root directory of the 1801<tt class="literal">[netlogon]</tt> share or a subdirectory. This option 1802frequently uses the <tt class="literal">%U</tt> or <tt class="literal">%m</tt> 1803variables (user or NetBIOS name) to point to an individual script. 1804For example:</p> 1805 1806<blockquote><pre class="code">[global] 1807 logon script = %U.bat</pre></blockquote> 1808 1809<p>will execute a script based on the username. If the user who is 1810connecting is <tt class="literal">fred</tt> and the path of the 1811<tt class="literal">[netlogon]</tt> share maps to the directory 1812<em class="filename">/export/samba/netlogon</em>, the script should be 1813<em class="filename">/export/samba/netlogon/fred.bat</em>. Because these 1814scripts are downloaded to the client and executed on the Windows 1815side, they must have MS-DOS-style newline characters rather than Unix 1816newlines.</p> 1817 1818 1819</div> 1820 1821 1822 1823<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.2"/> 1824 1825<a name="INDEX-153"/><h3 class="head3">logon path</h3> 1826 1827<p>This option specifies the location where roaming profiles are kept. 1828When the user logs on, a roaming profile will be downloaded from the 1829server to the client and used as the local profile during the logon 1830session. When the user logs off, the contents of the local profile 1831will be uploaded back to the server until the next time the user 1832connects.</p> 1833 1834<p>It is often more secure to create a separate share exclusively for 1835storing user profiles:</p> 1836 1837<blockquote><pre class="code">[global] 1838 logon path = \\hydra\profile\%U</pre></blockquote> 1839 1840<p>For more information on this option, see <a href="ch04.html#samba2-CHP-4-SECT-5">Section 4.5</a> earlier in this chapter.</p> 1841 1842 1843</div> 1844 1845 1846 1847<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.3"/> 1848 1849<a name="INDEX-154"/><h3 class="head3">logon drive</h3> 1850 1851<p>This option specifies the drive letter on a Windows NT/2000/XP client 1852to which the home directory specified with the 1853<tt class="literal">logon</tt> <tt class="literal">home</tt> option will be 1854mapped. Note that this option will work with Windows NT/2000/XP 1855clients only. For example:</p> 1856 1857<blockquote><pre class="code">[global] 1858 logon drive = I:</pre></blockquote> 1859 1860<p>You should always use drive letters that will not conflict with fixed 1861drives on the client machine. The default is Z:, which is a good 1862choice because it is as far away from A:, C:, and D: as possible.</p> 1863 1864 1865</div> 1866 1867 1868 1869<div class="sect3"><a name="samba2-CHP-4-SECT-5.6.4"/> 1870 1871<a name="INDEX-155"/><h3 class="head3">logon home</h3> 1872 1873<p>This option specifies the location of a user's home 1874directory for use by the MS-DOS <em class="emphasis">net</em> commands. 1875For example, to specify a home directory as a share on a Samba 1876server, use the following:</p> 1877 1878<blockquote><pre class="code">[global] 1879 logon home = \\hydra\%U</pre></blockquote> 1880 1881<p>Note that this works nicely with the <tt class="literal">[homes]</tt> 1882service, although you can specify any directory you wish. Home 1883directories can be mapped with a logon script using the following 1884command:</p> 1885 1886<a name="INDEX-156"/><blockquote><pre class="code">C:\><tt class="userinput"><b>net use i: /home </b></tt></pre></blockquote> 1887 1888 1889</div> 1890 1891 1892</div> 1893 1894 1895</div> 1896 1897 1898 1899<div class="sect1"><a name="samba2-CHP-4-SECT-6"/> 1900 1901<h2 class="head1">System Policies</h2> 1902 1903<p>A <a name="INDEX-157"/>system policy can be used in a Windows 1904NT domain as a remote administration tool for implementing a similar 1905computing environment on all clients and limiting the abilities of 1906users to change configuration settings on their systems or allowing 1907them to run only a limited set of programs. One application of system 1908policies is to use them along with mandatory profiles to implement a 1909collection of computers for public use, such as in a library, school, 1910or Internet cafe.</p> 1911 1912<p>A system policy is a collection of registry settings that is stored 1913in a file on the PDC and is automatically downloaded to the clients 1914when users log on to the domain. The file containing the settings is 1915created on a Windows system using the <a name="INDEX-158"/>System Policy Editor. Because the format 1916of the registry is different between Windows 95/98/Me and Windows 1917NT/2000/XP, it is necessary to make sure that the file that is 1918created is in the proper format. This is a very simple matter because 1919when the System Policy Editor runs on Windows 95/98/Me, it will 1920create a file in the format for Windows 95/98/Me, and if it is run on 1921Windows NT/2000/XP, it will use the format needed by those versions. 1922After the policy file is created with the System Policy Editor, it is 1923stored on the primary domain controller and is automatically 1924downloaded by the clients during the logon process, and the policies 1925are applied to the client system.</p> 1926 1927<p>On Windows NT 4.0 Server, you can run the System Policy Editor by 1928logging in to the system as Administrator or another user in the 1929Administrators group, opening the Start menu, and selecting Programs, 1930then Administrative Tools, then System Policy Editor. On Windows 2000 1931Advanced Server, open the Start menu and click Run . . . . In the 1932dialog box that comes up, type in 1933<tt class="literal">C:\winnt\poledit.exe</tt>, and click the OK button.</p> 1934 1935<p>If you are using a Windows version other than NT Server or Windows 19362000 Advanced Server, you must install the System Policy Editor, and 1937getting a copy of it can be a little tricky. If you are running 1938Windows NT 4.0 Workstation or Windows 2000 Professional and have a 1939Windows NT 4.0 Server installation CD-ROM, you can run the file 1940<em class="filename">\Clients\Svrtools\Winnt\Setup.bat</em> from that CD 1941to install the Client-based Network Administration Tools, which 1942includes <em class="emphasis">poledit.exe</em>. Then open the Start menu, 1943click Run..., type <tt class="literal">C:\winnt\system32\poledit.exe</tt> 1944into the text area, and click the OK button.</p> 1945 1946<p>If you are using Windows 95/98, insert a Windows 95 or Windows 98 1947distribution CD-ROM<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> into your CD-ROM drive, 1948then open the Control Panel and double-click the Add/Remove Programs 1949button.</p> 1950 1951<p>Click the Windows Setup tab, and then click the Have Disk... 1952button. In the new dialog box that appears, click the Browse... 1953button, then select the CD-ROM drive from the Drives drop-down menu. 1954Then:</p> 1955 1956<ul><li> 1957<p>If you are using a Windows 95 installation CD-ROM, double-click the 1958admin, then apptools, then poledit folder icons.</p> 1959</li><li> 1960<p>If you are using a Windows 98 installation CD-ROM, double-click the 1961tools, then reskit, then netadmin, then poledit folder icons.</p> 1962</li></ul> 1963<p>You should see "<a name="INDEX-159"/>grouppol.inf" appear in 1964the File name: text area on the left of the dialog box. Click the OK 1965buttons in two dialog boxes, and you will be presented with a dialog 1966box in which you should select both the Group Policies and System 1967Policy Editor checkboxes. Then click the Install button. Close the 1968remaining dialog box, and you can now run the System Policy Editor by 1969opening the Start menu and selecting Programs, then Accessories, then 1970System Tools, then System Policy Editor. Or click the Run... item in 1971the Start Menu, and enter <tt class="literal">C:\Windows\Poledit</tt>.</p> 1972 1973<p>When the System Policy Editor starts up, select New Policy from the 1974File menu, and you will see a window similar to that in <a href="ch04.html#samba2-CHP-4-FIG-14">Figure 4-14</a>.</p> 1975 1976<div class="figure"><a name="samba2-CHP-4-FIG-14"/><img src="figs/sam2_0414.gif"/></div><h4 class="head4">Figure 4-14. The System Policy Editor window</h4> 1977 1978<p>The next step is to make a selection from the File menu to add 1979policies for users, groups, and computers. For each item you add, you 1980will be asked for the username, or name of the group or computer, and 1981a new icon will appear in the window. Double-clicking one of the 1982icons will bring up the Properties dialog box, such as the one shown 1983in <a href="ch04.html#samba2-CHP-4-FIG-15">Figure 4-15</a>.</p> 1984 1985<div class="figure"><a name="samba2-CHP-4-FIG-15"/><img src="figs/sam2_0415.gif"/></div><h4 class="head4">Figure 4-15. The Properties dialog of System Policy Editor</h4> 1986 1987<p>The upper window in the dialog shows the registry settings that can 1988be modified as part of the system policy, and the lower window shows 1989descriptive information or more settings pertaining to the one 1990selected in the upper window. Notice in the figure that there are 1991three checkboxes and that they are all in different states:</p> 1992 1993<dl> 1994<dt><b>Checked</b></dt> 1995<dd> 1996<p>Meaning that the registry setting is enabled in the policy</p> 1997</dd> 1998 1999 2000 2001<dt><b>White (unchecked)</b></dt> 2002<dd> 2003<p>Which clears the registry setting</p> 2004</dd> 2005 2006 2007 2008<dt><b>Gray</b></dt> 2009<dd> 2010<p>Which causes the registry setting on the client to be unmodified</p> 2011</dd> 2012 2013</dl> 2014 2015<p>Basically, if all the items are left gray (the default), the system 2016policy will have no effect. The registry of the logged-on client will 2017not be modified. However, if any of the items are either checked or 2018unchecked (white), the registry on the client will be modified to 2019enable the setting or clear it.</p> 2020<a name="samba2-CHP-4-NOTE-117"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 2021<p>In this section, we are giving you enough information on using the 2022System Policy Editor to get you started—or, should we say, 2023enough rope with which to hang yourself. Remember that a system 2024policy, once put into action, will be modifying the registries of all 2025clients who log on to the domain. The usual warnings about editing a 2026Windows registry apply here with even greater importance. Consider 2027how difficult (or even impossible) it will be for you to restore the 2028registries on all those clients if anything happens to go wrong. 2029<em class="emphasis">As with roaming profiles, casual or careless implementation 2030of system policies can easily lead to domain-wide 2031disaster</em>.</p> 2032 2033<p>Creating a good system policy file is a complex topic, which we 2034cannot cover in detail here. It would take a whole book, and yes, 2035there happens to be an O'Reilly book on the subject, 2036<em class="citetitle">Windows System Policy Editor</em>. Another 2037definitive source of documentation on Windows NT system policies and 2038the System Policy Editor is the Microsoft white paper 2039<em class="citetitle">Implementing Policies and Profiles for Windows NT 20404.0</em>, which can be found at <a href="http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp">http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp</a>.</p> 2041</blockquote> 2042 2043<p>Once you have created a policy, click the OK button and use the Save 2044As... item from the File menu to save it. Use the filename 2045<em class="filename">config.pol</em><a name="INDEX-160"/> for a Windows 95/98 system policy and 2046<em class="filename">ntconfig.pol</em><a name="INDEX-161"/> for a policy that will be used on Windows 2047NT/2000/XP clients. Finally, copy the <em class="filename">.pol</em> file 2048to the directory used for the <tt class="literal">[netlogon]</tt> share on 2049the Samba PDC. The <em class="filename">config.pol</em> and 2050<em class="filename">ntconfig.pol</em> files must go in this 2051directory—unlike roaming profiles and logon scripts, there is 2052no way to specify the location of the system policy files in 2053<em class="filename">smb.conf</em>. If you want to have different system 2054policies for different users or computers, you must perform that part 2055of the configuration within the System Policy Editor.</p> 2056 2057<a name="samba2-CHP-4-NOTE-118"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 2058<p>If you have, or will have, any <a name="INDEX-162"/><a name="INDEX-163"/>Windows Me clients on your network, 2059be careful. Microsoft has stated that Windows Me does not support 2060system policies. The odd thing about this is that it will download 2061the policy from a <em class="filename">config.pol</em> file on the PDC, 2062but there is no guarantee that the results will be what was intended. 2063Check the effect of your system policy carefully on your Windows Me 2064clients to make sure it is working how you want.</p> 2065</blockquote> 2066 2067<p>When a user logs on to the domain, her Windows client will download 2068the <em class="filename">.pol</em> file from the server, and the settings 2069in it (that is, the items either checked or cleared in the System 2070Policy Editor) will override the client's settings.</p> 2071 2072<p>If things "should work" but 2073don't, try shutting down the Windows client and 2074restarting, rather than just logging off and on again. Windows 2075sometimes will hold the <tt class="literal">[netlogon]</tt> share open 2076across logon sessions, and this can prevent the client from getting 2077the updated <em class="filename">.pol</em> file from the server. 2078<a name="INDEX-164"/> 2079<a name="INDEX-165"/></p> 2080 2081 2082</div> 2083 2084 2085 2086<div class="sect1"><a name="samba2-CHP-4-SECT-7"/> 2087 2088<h2 class="head1">Samba as a Domain Member Server</h2> 2089 2090<p><a name="INDEX-166"/>Up to now, 2091we've focused on configuring and using Samba as the 2092primary domain controller. If you already have a domain controller on 2093your network, either a Windows NT/2000 Server system or a Samba PDC, 2094you can add a Samba server to the domain as a domain member server. 2095This involves setting up the Samba server to have a computer account 2096with the primary domain controller, in a similar way that Windows 2097NT/2000/XP clients can have computer accounts on a Samba PDC. When a 2098client accesses shares on the Samba domain member server, Samba will 2099pass off the authentication to the domain controller rather than 2100performing the task on the local system. If the PDC is a Windows 2101server, any number of Windows BDCs might exist that can handle the 2102authentication instead of the PDC.</p> 2103 2104<p>The first step is to add the Samba server to the domain by creating a 2105computer account for it on the primary domain controller. You can do 2106this using the <em class="emphasis">smbpasswd</em> command, as follows:</p> 2107 2108<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j <em class="replaceable">DOMAIN</em> -r <em class="replaceable">PDCNAME</em> -U<em class="replaceable">admin_acct</em>%<em class="replaceable">password</em></b></tt></pre></blockquote> 2109 2110<p>In this command, <em class="replaceable">DOMAIN</em> is replaced by the 2111name of the domain the Samba host is joining, 2112<em class="replaceable">PDCNAME</em> is replaced by the computer name 2113of the primary domain controller, 2114<em class="replaceable">admin_acct</em> is replaced by the username of 2115an administrative account on the domain controller (either 2116Administrator—or another user in the Administrators 2117group—on Windows NT/2000, and root on Samba), and 2118<em class="replaceable">password</em> is replaced with the password of 2119that user. To give a more concrete example, on our domain that has a 2120Windows NT 4 Server primary domain controller or a Windows 2000 2121Active Directory domain controller named <tt class="literal">SINAGUA</tt>, 2122the command would be:</p> 2123 2124<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r SINAGUA -UAdministrator%hup8ter</b></tt></pre></blockquote> 2125 2126<p>and if the PDC is a Samba system, we would use the command:</p> 2127 2128<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j METRAN -r toltec -Uroot%jwun83jb</b></tt></pre></blockquote> 2129 2130<p>where <tt class="literal">jwun83jb</tt> is the password for the root user 2131that is contained in the<em class="filename"> smbpasswd</em> file, as we 2132explained earlier in this chapter.</p> 2133 2134<p>If you did it right, <em class="emphasis">smbpasswd</em> will respond with 2135a message saying the domain has been joined. The security 2136identifier<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a> returned to Samba from the PDC is kept in 2137the file <em class="filename">/usr/local/samba/private/secrets.tdb</em>. 2138The information in 2139<em class="filename">secrets.tdb</em><a name="INDEX-167"/> is security-sensitive, so make sure to 2140protect <em class="filename">secrets.tdb</em> in the same way you would 2141treat Samba's password file.</p> 2142 2143<p>The next step is to modify the 2144<em class="filename">smb.conf</em><a name="INDEX-168"/> file. Assuming you are starting with a 2145valid <em class="filename">smb.conf</em> file that correctly configures 2146Samba to function in a workgroup, such as the one we used in <a href="ch02.html">Chapter 2</a>, it is simply a matter of adding the following 2147three lines to the <tt class="literal">[global]</tt> section:</p> 2148 2149<blockquote><pre class="code">workgroup = METRAN 2150security = domain 2151password server = *</pre></blockquote> 2152 2153<p>The first line establishes the name of the domain (even though it 2154says "workgroup"). Instead of 2155METRAN, use the name of the domain you are joining. Setting security 2156to "domain" causes Samba to hand 2157off authentication to a domain controller, and the 2158<tt class="literal">password</tt> <tt class="literal">server</tt> 2159<tt class="literal">=</tt> <tt class="literal">*</tt> line tells Samba to find 2160the domain controller for authentication (which could be the primary 2161domain controller or a backup domain controller) by querying the WINS 2162server or using broadcast packets if a WINS server is not available.</p> 2163 2164<p>At this point, it would be prudent to run 2165<em class="emphasis">testparm</em> to check that your 2166<em class="filename">smb.conf</em> is free of errors. Then restart the 2167Samba daemons.</p> 2168 2169<p>If the PDC is a Windows NT system, you can use Server Manager to 2170check that the Samba server has been added successfully. Open the 2171Start menu, then select Programs, then Administrative Tools (Common), 2172and then Server Manager. Server Manager starts up with a window that 2173looks like <a href="ch04.html#samba2-CHP-4-FIG-16">Figure 4-16</a>.</p> 2174 2175<div class="figure"><a name="samba2-CHP-4-FIG-16"/><img src="figs/sam2_0416.gif"/></div><h4 class="head4">Figure 4-16. The Windows NT Server Manager window</h4> 2176 2177<p>As you can see, we've added both 2178<tt class="literal">toltec</tt> and <tt class="literal">mixtec</tt> to a domain 2179for which the Windows NT 4.0 Server system, 2180<tt class="literal">sinagua</tt>, is the primary domain controller.</p> 2181 2182<p>You can check your setup on Windows 2000 Advanced Server by opening 2183the Start menu and selecting Programs, then Administrative Tools, 2184then Active Directory Users and Computers. The window that opens up 2185will look like <a href="ch04.html#samba2-CHP-4-FIG-17">Figure 4-17</a>.</p> 2186 2187<div class="figure"><a name="samba2-CHP-4-FIG-17"/><img src="figs/sam2_0417.gif"/></div><h4 class="head4">Figure 4-17. The Windows 2000 Active Directory Users and Computers window</h4> 2188 2189<p>Click Computers in the left side of the window with the Tree tab. You 2190should see your Samba system listed in the right pane of the window. 2191<a name="INDEX-169"/></p> 2192 2193 2194</div> 2195 2196 2197 2198<div class="sect1"><a name="samba2-CHP-4-SECT-8"/> 2199 2200<h2 class="head1">Windows NT Domain Options</h2> 2201 2202<p><a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a> shows the options that are commonly used 2203in association with Samba on a Windows NT domain.</p> 2204 2205<a name="samba2-CHP-4-TABLE-2"/><h4 class="head4">Table 4-2. Windows NT domain options</h4><table border="1"> 2206 2207 2208 2209 2210 2211 2212<tr> 2213<th> 2214<p>Option</p> 2215</th> 2216<th> 2217<p>Parameters</p> 2218</th> 2219<th> 2220<p>Function</p> 2221</th> 2222<th> 2223<p>Default</p> 2224</th> 2225<th> 2226<p>Scope</p> 2227</th> 2228</tr> 2229 2230 2231<tr> 2232<td> 2233<p><tt class="literal">domain logons</tt></p> 2234</td> 2235<td> 2236<p>boolean</p> 2237</td> 2238<td> 2239<p>Indicates whether Windows domain logons are to be used</p> 2240</td> 2241<td> 2242<p><tt class="literal">No</tt></p> 2243</td> 2244<td> 2245<p>Global</p> 2246</td> 2247</tr> 2248<tr> 2249<td> 2250<p><tt class="literal">domain master</tt></p> 2251</td> 2252<td> 2253<p>boolean</p> 2254</td> 2255<td> 2256<p>For telling Samba to take the role of domain master browser</p> 2257</td> 2258<td> 2259<p>Auto</p> 2260</td> 2261<td> 2262<p>Global</p> 2263</td> 2264</tr> 2265<tr> 2266<td> 2267<p><tt class="literal">add user script</tt></p> 2268</td> 2269<td> 2270<p>string (command)</p> 2271</td> 2272<td> 2273<p>Script to run to add a user or computer account</p> 2274</td> 2275<td> 2276<p>None</p> 2277</td> 2278<td> 2279<p>Global</p> 2280</td> 2281</tr> 2282<tr> 2283<td> 2284<p><tt class="literal">delete user</tt> <tt class="literal">script</tt></p> 2285</td> 2286<td> 2287<p>string (command)</p> 2288</td> 2289<td> 2290<p>Script to run to delete a user or computer account</p> 2291</td> 2292<td> 2293<p>None</p> 2294</td> 2295<td> 2296<p>Global</p> 2297</td> 2298</tr> 2299<tr> 2300<td> 2301<p><tt class="literal">domain admin group</tt></p> 2302</td> 2303<td> 2304<p>string (list of users)</p> 2305</td> 2306<td> 2307<p>Users that are in the Domain Admins group</p> 2308</td> 2309<td> 2310<p>None</p> 2311</td> 2312<td> 2313<p>Global</p> 2314</td> 2315</tr> 2316<tr> 2317<td> 2318<p><tt class="literal">domain guest group</tt></p> 2319</td> 2320<td> 2321<p>string (list of users)</p> 2322</td> 2323<td> 2324<p>Users that are in the Domain Guests group</p> 2325</td> 2326<td> 2327<p>None</p> 2328</td> 2329<td> 2330<p>Global</p> 2331</td> 2332</tr> 2333<tr> 2334<td> 2335<p><tt class="literal">password server</tt></p> 2336</td> 2337<td> 2338<p>string (list of computers)</p> 2339</td> 2340<td> 2341<p>List of domain controllers used for authentication when Samba is 2342running as a domain member server</p> 2343</td> 2344<td> 2345<p>None</p> 2346</td> 2347<td> 2348<p>Global</p> 2349</td> 2350</tr> 2351<tr> 2352<td> 2353<p><tt class="literal">machine password timeout</tt></p> 2354</td> 2355<td> 2356<p>numeric (seconds)</p> 2357</td> 2358<td> 2359<p>Sets the renewal interval for NT domain machine passwords</p> 2360</td> 2361<td> 2362<p><tt class="literal">604,800</tt> (1 week )</p> 2363</td> 2364<td> 2365<p>Global</p> 2366</td> 2367</tr> 2368 2369</table> 2370 2371<p>Here are detailed explanations of each <a name="INDEX-170"/>Windows NT domain option listed 2372in <a href="ch04.html#samba2-CHP-4-TABLE-2">Table 4-2</a>.</p> 2373 2374 2375<div class="sect2"><a name="samba2-CHP-4-SECT-8.1"/> 2376 2377<a name="INDEX-171"/><h3 class="head2">domain logons</h3> 2378 2379<p>This option configures Samba to accept domain logons as a primary 2380domain controller. When a client successfully logs on to the domain, 2381Samba will return a special token to the client that allows the 2382client to access domain shares without consulting the PDC again for 2383authentication. Note that the Samba machine must employ user-level 2384security (<tt class="literal">security</tt> <tt class="literal">=</tt> 2385<tt class="literal">user</tt>) and must be the PDC for this option to 2386function. In addition, Windows machines will expect a 2387<tt class="literal">[netlogon]</tt> share to exist on the Samba server.</p> 2388 2389 2390<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.1"/> 2391 2392<a name="INDEX-172"/><h3 class="head3">domain master</h3> 2393 2394<p>In a Windows network, a local master browser handles browsing within 2395a subnet. A Windows domain can be made up of a number of subnets, 2396each of which has its own local master browser. The primary domain 2397controller serves the function of domain master browser, collecting 2398the browse lists from the local master browser of each subnet. Each 2399local master browser queries the domain master browser and adds the 2400information about other subnets to their own browse lists. When Samba 2401is configured as a primary domain controller, it automatically sets 2402<tt class="literal">domain</tt> <tt class="literal">master</tt> 2403<tt class="literal">=</tt> <tt class="literal">yes</tt>, making itself the domain 2404master browser.</p> 2405 2406<p>Because Windows NT PDCs always claim the role of domain master 2407browser, Samba should never be allowed to be domain master if there 2408is a Windows PDC in the domain.</p> 2409 2410 2411</div> 2412 2413 2414 2415<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.2"/> 2416 2417<a name="INDEX-173"/><h3 class="head3">add user script</h3> 2418 2419<p>There are two ways in which <tt class="literal">add</tt> 2420<tt class="literal">user</tt> <tt class="literal">script</tt> can be used. When 2421the Samba server is set up as a primary domain controller, it can be 2422assigned to a command that will run on the Samba server to add a 2423Windows NT/2000/XP computer account to Samba's 2424password database. When the user on the Windows system changes the 2425computer's settings to join a domain, he is asked 2426for the username and password of a user who has administrative rights 2427on the domain controller. Samba authenticates this user and then runs 2428the <tt class="literal">add</tt> <tt class="literal">user</tt> 2429<tt class="literal">script</tt> with root permissions.</p> 2430 2431<p>When Samba is configured as a domain member server, the 2432<tt class="literal">add</tt> <tt class="literal">user</tt> 2433<tt class="literal">script</tt> can be assigned to a command to add a user 2434to the system. This allows Windows clients to add users that can 2435access shares on the Samba system without requiring an administrator 2436to create the account manually on the Samba host.</p> 2437 2438 2439</div> 2440 2441 2442 2443<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.3"/> 2444 2445<a name="INDEX-174"/><h3 class="head3">delete user script</h3> 2446 2447<p>There are times when users are automatically deleted from the domain, 2448and the <tt class="literal">delete</tt> <tt class="literal">user</tt> 2449<tt class="literal">script</tt> can be assigned to a command that removes a 2450user from the Samba host as a Windows server would do. However, you 2451might not want this to happen, because the Unix user might need the 2452account for reasons other than use with Samba. Therefore, we 2453recommend that you be very careful about using this option.</p> 2454 2455 2456</div> 2457 2458 2459 2460<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.4"/> 2461 2462<a name="INDEX-175"/><h3 class="head3">domain admin group</h3> 2463 2464<p>In a domain of Windows systems, it is possible for a server to get a 2465list of the members of the Domain Admins group from a domain 2466controller. Samba 2.2 does not have the ability to handle this, and 2467the <tt class="literal">domain</tt> <tt class="literal">admin</tt> 2468<tt class="literal">group</tt> parameter exists as a manual means of 2469informing Samba who is in the group. The list should contain root 2470(necessary for adding computer accounts) and any users on Windows 2471NT/2000/XP clients in the domain who are in the Domain Admins group. 2472These users must be recognized by the primary controller in order for 2473them to perform some administrative duties such as adding users to 2474the domain.</p> 2475 2476 2477</div> 2478 2479 2480 2481<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.5"/> 2482 2483<a name="INDEX-176"/><h3 class="head3">password server</h3> 2484 2485<p>In a Windows domain in which the domain controllers are a Windows 2486primary domain controller, along with any number of Windows backup 2487domain controllers, clients and domain member servers authenticate 2488users by querying either the PDC or any of the BDCs. When Samba is 2489configured as a domain member server, the <tt class="literal">password</tt> 2490<tt class="literal">server</tt> parameter allows some control over how 2491Samba finds a domain controller. Earlier versions of Samba could not 2492use the same method that Windows systems use, and it was necessary to 2493specify a list of systems to try. When you set 2494<tt class="literal">password</tt> <tt class="literal">server</tt> 2495<tt class="literal">=</tt> <tt class="literal">*</tt>, Samba 2.2 is able to find 2496the domain controller in the same manner that Windows does, which 2497helps to spread the requests over several backup domain controllers, 2498minimizing the possibility of them becoming overloaded with 2499authentication requests. We recommend that you use this method.</p> 2500 2501 2502</div> 2503 2504 2505 2506<div class="sect3"><a name="samba2-CHP-4-SECT-8.1.6"/> 2507 2508<a name="INDEX-177"/><h3 class="head3">machine password timeout</h3> 2509 2510<p>The <tt class="literal">machine</tt> <tt class="literal">password</tt> 2511<tt class="literal">timeout</tt> global option sets a retention period for 2512Windows NT domain machine passwords. The default is currently set to 2513the same time period that Windows NT 4.0 uses: 604,800 seconds (one 2514week). Samba will periodically attempt to change the 2515<em class="firstterm">machine account password</em>, which is a password 2516used specifically by another server to report changes to it. This 2517option specifies the number of seconds that Samba should wait before 2518attempting to change that password. The timeout period can be changed 2519to a single day by specifying the following:</p> 2520 2521<blockquote><pre class="code">[global] 2522 machine password timeout = 86400</pre></blockquote> 2523 2524<a name="samba2-CHP-4-NOTE-119"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 2525<p>If you would like more information on how Windows NT uses domain 2526usernames and groups, we recommend Eric <a name="INDEX-178"/>Pearce's 2527<em class="citetitle">Windows NT in a Nutshell</em>, published by 2528O'Reilly. <a name="INDEX-179"/></p> 2529</blockquote> 2530 2531 2532</div> 2533 2534 2535</div> 2536 2537 2538</div> 2539 2540<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> When we include 2541Windows XP in discussions of Windows NT domains in this book, we are 2542referring to Windows XP Professional and not to the Home edition. The 2543reason for this is explained in the section on Windows XP later in 2544this chapter.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> The entry in 2545<em class="filename">/etc/passwd</em> might not be required in future 2546Samba versions.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> If you want to follow our example in this 2547section, and your network doesn't have any Windows 2548systems offering shares, see <a href="ch05.html">Chapter 5</a> for 2549directions on how to create one. Make sure you understand how to set 2550up shares before continuing with the directions presented 2551here!</p> <a name="FOOTNOTE-4"/> <p><a href="#FNPTR-4">[4]</a> The version of the System Policy 2552Editor distributed with Windows 98 is an update of the version 2553shipped with Windows 95. Use the version from the Windows 98 2554distribution if you can.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This security identifier (SID) is part of 2555an access token that allows the PDC to identify and authenticate the 2556client.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html> 2557