ftp://samba.org/pub/samba/alpha and mirror sites 1) i fixed a problem with nmbd's GETDC response, it is responding better but still not perfectly (and 2.0.x and cvs main need to be fixed, as well) as there exists no explanation for the correct response to locate a Domain Controller using GETDC. the upshot of fixing this is that joining an nt workstation to a TNG domain is now _extremely_ fast: a couple of seconds, if that, and USRMGR.EXE comes up very rapidly, too. 2) i concluded that there is a lot of confusion being caused by using smbpasswd to add users to a domain. the default behaviour on creating a user is to create the user with no password and account "disabled", followed by changing the password. this results in, with smbpasswd, the account being created with the correct password, but the account disabled. please use samedit. samedit's "createuser username -p userpassword" command goes through a series of instructions that include creating the account (which is automatically disabled when created), followed by setting the password, followed by enabling the account. i have already disabled smbpasswd -m and -j options: i am considering just disabling smbpasswd altogether, however i know that people are _not_ going to like that, so really should implement smbpasswd in terms of samedit commands. time, time... 3) elrond continues to send in daily patches that ultimately will help merge TNG with cvs main, by getting TNG more cvs-main-like. if anyone else wishes to assist with this, please notify everyone of your interest by responding to samba-technical@samba.org, and we can take it from there. 4) various others, such as greg dickie, michael breuer, continue to send in mini-updates which help to compile and run TNG, please keep 'em coming! 5) profiles are still not operating correctly, i do not know why, it is beginning to irritate me enough that i am probably going to do something about it. i now have, from various sources, legitimate versions of NT 5 and NT 4 installed in vmware 2.0 sessions. i am not entirely happy with this: i can only run one vmware session (i am using just xinit not X, i don't like graphical OSes) at a time. my thanks to darryl for his assistance, suggestions, and for providing the entire samba team with vmware licenses: i would be unable to do any work, right now, without vmware, as i only have the one computer. [btw does anyone, other than me, want to run vmware without having to run X-windows, for example, running linux in console-mode and switching between multiple vmware sessions on alt-f1 to alt-f12?] 6) password changing. oops! i made a mistake in the Great Convert in january, resulting in passing the wrong parameters over in the samr user password change. as i modified smbd to call the samr user password change functions instead of accessing smbpasswd directly, this will have affected *all* user-initiated password changes including win95, dos and wfwg _and_ nt password changes. so, if you have win95, please try changing a user password and report to the list if it works or not. i also fixed samedit's "ntpass" command to operate correctly at the same time, because it too was minorly broken. 7) the use of "netbios name" was a red herring and a false alarm. it's perfectly ok to use different netbios names for your server, although not generally considered to be good "network policy", although it does actually work. 8) elrond spotted that some of the user profile information was not correctly aligned. please report any operational issues and domain user logon problems, as usual, to samba-ntdom@samba.org, with a full report. all reports should contain full information, including: - your OS type - your last cvs update date *and* time, or tng alpha version number - your smb.conf file - an explicit list of steps carried out to get you into the current state for example, if you are using smbpasswd not samedit, please say so. please consider including a typescript of the operations used. please try and avoid reports just saying "it doesn't work": please send reports saying "i carried out the following series of steps, it failed here, the log files show error code xyz at this point, here's all the info about my setup and OS config: here, you go deal with it, i'm bored with all this not working, i give up". it's starting to get there. we're back at some of the key points that are generally taken for granted, such as user logons and password changes. printing and user profiles are the ones that really need to be dealt with, now. keep going, keep going, keep going, keep going :) best regards, luke <a href=" mailto:lkcl@samba.org" > Luke Kenneth Casson Leighton </a> <a href=" http://cb1.com/~lkcl" > Samba and Network Development </a> <a href=" http://samba.org" > Samba Web site </a> <a href=" http://mcp.com" > Macmillan Technical Publishing </a> ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals
Luke, Why would you disable the -m option of smbpasswd? We use Ghost to re-image a PC here and we need to reset the machine account after a rebuild so it will gracefully join the domain without having to jump through hoops. A little history - we build a master image and then ditribute that to 600 PCs on our campus. By resetting the machine account through smbpasswd, we can simply rename the machine (since every machine now has the same name from the master image) and after a reboot, it's happy. If you would recommend a different method, I'm all ears, but I think disabling smbpasswd -m would be a grave mistake. TIA, Bill Luke Kenneth Casson Leighton wrote:> > ftp://samba.org/pub/samba/alpha and mirror sites > > 1) > > i fixed a problem with nmbd's GETDC response, it is responding better but > still not perfectly (and 2.0.x and cvs main need to be fixed, as well) as > there exists no explanation for the correct response to locate a Domain > Controller using GETDC. > > the upshot of fixing this is that joining an nt workstation to a TNG > domain is now _extremely_ fast: a couple of seconds, if that, and > USRMGR.EXE comes up very rapidly, too. > > 2) > > i concluded that there is a lot of confusion being caused by using > smbpasswd to add users to a domain. the default behaviour on creating a > user is to create the user with no password and account "disabled", > followed by changing the password. this results in, with smbpasswd, the > account being created with the correct password, but the account disabled. > > please use samedit. samedit's "createuser username -p userpassword" > command goes through a series of instructions that include creating the > account (which is automatically disabled when created), followed by > setting the password, followed by enabling the account. > > i have already disabled smbpasswd -m and -j options: i am considering just > disabling smbpasswd altogether, however i know that people are _not_ going > to like that, so really should implement smbpasswd in terms of samedit > commands. > > time, time... > > 3) > > elrond continues to send in daily patches that ultimately will help merge > TNG with cvs main, by getting TNG more cvs-main-like. > > if anyone else wishes to assist with this, please notify everyone of your > interest by responding to samba-technical@samba.org, and we can take it > from there. > > 4) > > various others, such as greg dickie, michael breuer, continue to send in > mini-updates which help to compile and run TNG, please keep 'em coming! > > 5) > > profiles are still not operating correctly, i do not know why, it is > beginning to irritate me enough that i am probably going to do something > about it. > > i now have, from various sources, legitimate versions of NT 5 and NT 4 > installed in vmware 2.0 sessions. i am not entirely happy with this: i > can only run one vmware session (i am using just xinit not X, i don't like > graphical OSes) at a time. my thanks to darryl for his assistance, > suggestions, and for providing the entire samba team with vmware licenses: > i would be unable to do any work, right now, without vmware, as i only > have the one computer. > > [btw does anyone, other than me, want to run vmware without having to run > X-windows, for example, running linux in console-mode and switching > between multiple vmware sessions on alt-f1 to alt-f12?] > > 6) > > password changing. oops! i made a mistake in the Great Convert in > january, resulting in passing the wrong parameters over in the samr user > password change. > > as i modified smbd to call the samr user password change functions instead > of accessing smbpasswd directly, this will have affected *all* > user-initiated password changes including win95, dos and wfwg _and_ nt > password changes. > > so, if you have win95, please try changing a user password and report to > the list if it works or not. > > i also fixed samedit's "ntpass" command to operate correctly at the same > time, because it too was minorly broken. > > 7) > > the use of "netbios name" was a red herring and a false alarm. it's > perfectly ok to use different netbios names for your server, although not > generally considered to be good "network policy", although it does > actually work. > > 8) > > elrond spotted that some of the user profile information was not correctly > aligned. please report any operational issues and domain user logon > problems, as usual, to samba-ntdom@samba.org, with a full report. > > all reports should contain full information, including: > > - your OS type > > - your last cvs update date *and* time, or tng alpha version number > > - your smb.conf file > > - an explicit list of steps carried out to get you into the current state > > for example, if you are using smbpasswd not samedit, please say so. > please consider including a typescript of the operations used. > > please try and avoid reports just saying "it doesn't work": please send > reports saying "i carried out the following series of steps, it failed > here, the log files show error code xyz at this point, here's all the info > about my setup and OS config: here, you go deal with it, i'm bored with > all this not working, i give up". > > it's starting to get there. we're back at some of the key points that are > generally taken for granted, such as user logons and password changes. > printing and user profiles are the ones that really need to be dealt with, > now. > > keep going, keep going, keep going, keep going :) > > best regards, > > luke > > <a href=" mailto:lkcl@samba.org" > Luke Kenneth Casson Leighton </a> > <a href=" http://cb1.com/~lkcl" > Samba and Network Development </a> > <a href=" http://samba.org" > Samba Web site </a> > <a href=" http://mcp.com" > Macmillan Technical Publishing </a> > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals-- /------------------------------------------------------\ | | | William E. Jojo, Jr. | | | | Senior Systems and Network Specialist | | | | Hudson Valley Community College | | | | (518) 629 7540 | | | | jojowil@hvcc.edu | | | \------------------------------------------------------/ So I held my up high Hiding hate that burns inside Which only fuels their selfish pride We're all held captive out from the sun A sun that shines on only some We the meek are all in one
Luke, Thanks for the reply. I understand what you are getting at. However, I do have trouble compile the TNG code. And have for some time. I would've tried the samedit program if I could get by the enumeration constant problem on the first file make tries. Then if I comment out the offending enumeration constant, I cannot get it to create the shared libraries. I've sent several emails to this list (samba@samba.org) regarding just this problem and am a little offended that when AIX is having a problem it seems to get ignored - similar to the email I sent regarding quotas. I would love to use the TNG code for our installation, but simply can't due to problems compiling and a lack of support. As far as why we have to do things the way we are: simple - we're an educational institution that must keep up to date with current hardware and software technology. This means we have to roll out 3 builds a year - one for each semester. Perhaps there are others in the same boat - or worse. Now, this is very simple for a staff of 3 to handle with the simple tool known as smbpasswd. We're using 2.0.6 and don't have samedit. If and when we can get the code to compile, we'll try it your way. Until then we'll continue to find our own solutions. Bill On Mon, 20 Mar 2000, Luke Kenneth Casson Leighton wrote:> On Sun, 19 Mar 2000, William Jojo wrote: > > > > > Luke, > > > > Why would you disable the -m option of smbpasswd? We use Ghost to re-image a PC > > here and we need to reset the machine account after a rebuild so it will > > gracefully join the domain without having to jump through hoops. > > because 1) having a default well-known workstation trust account password > is a security risk: the trust account is used to encrypt user passwords. > > because 2) if you _must_ do this, you can use samedit's "createuser > wkstaname$ -p wkstaname" to explicitly set the trust account password to > the [very insecure] initial value. > > oh, and it gets even better if you add a backup domain controller with the > trust account password [as the bdc name]: then you run the risk of losing > your entire SAM database to an attacker, as they pretend to be the BDC, > using the default password and suck all user profile (plus passwords) > group, alias and domain information off your PDC -- after all, that's what > SAM synchronisation is supposed to do!!! > > > > A little history - we build a master image and then ditribute that to 600 PCs on > > our campus. By resetting the machine account through smbpasswd, we can simply > > rename the machine (since every machine now has the same name from the master > > image) and after a reboot, it's happy. > > > > If you would recommend a different method, I'm all ears, but I think disabling > > smbpasswd -m would be a grave mistake. > > you can use samedit's createuser with -j to totally randomise the local > workstation trust account password _and_ this totally random value will be > stored in the PDC's SAM database, too, so the workstation is synchronised > with the PDC. > > this can be done just as well in an NT-only environment as it can in a > mixed samba-NT environment. > > you should be able to do this as a one-step-in-a-script on a secure local > network: > > samedit -S thepdc -U admin%pdcpwd -W pdcdomname -l log > [$ ] use \\wkstaname -U localadmin%localpwd -W wkstaname > connect blah blah: OK > > [$ ] use -u > connect to PDC > connect to wksta > > [$ ] createuser wkstaname$ -j PDCDOMNAME > creating trust account: OK [this is done to PDC using pdc admin pwd] > setting $MACHINE.ACC: OK [this is done to wksta using wksta locadm pwd] > > now -- at this point, you should be able to go to the wksta and the pdc, > and change the name, and voila. > > however, if you ask nicely, i might investigate how to change the local > workstation name, by adding new commands: > > [$ ] srvinfoset -n newworkstationname > > [$ ] samuserset wkstaname$ -n newworkstationname$ > > then you can do this, afterwards: > > regedit -S wkstaname -U localadmin%localpwd -W wkstaname > [$ ] shutdown --reboot --force-close (or -r -f). > > luke > >