I've already asked this in several places. I figured I'd ask here before I send an e-mail to the creators of Samba and bother them.

I'm trying to make Samba the domain controller of the Windows computers on my network. There's a machine that dual boots Windows 98 and 2000 and I set up an NT 4 machine just to see how it mingles with Samba. I have the latest version of Samba and CVS. I've set up the global section of smb.conf just like in the Samba faq on the official home page plus some shares. I have netlogon and profiles shares. Windows 98 will log into the domain just as I want it to. Windows NT 4 and 5 are having problems however. I can add them to the domain properly with the root account. But when I restart and try to log in, it says that all my accounts are disabled. Whenever I type in a fake account, it says something different so it at least knows that the accounts exist. Windows 98 doesn't have this problem. Can anyone suggest some fixes? Merci.

To configure you NT box you have to do some stupid stuff that you dont have to do with 98. All NT clients that connect to a primary domain controller make use of trust accounts. These accounts allow a machine to log in to the PDC itself (not one of its shares), which means that the PDC can trust any further connections from users on that client. For all intents and purposes, a trust account is identical to a user account. In fact, you use a standard Unix user accounts to emulate trust accounts for the Samba server.

The login name of a machine's trust account is the name of the machine with a dollar sign appended to it. For example, if you call your Windows NT machine bobrulz, the login account would be bobrulz$. The initial password of the account is simply the name of the machine in lowercase letters. In order to forge the trust account on the Samba server, you need to create a Unix account with the appropriate machine name, as well as an encrypted password entry in the smbpasswd database.

Let's tackle the first part. Here, we only need to modify the /etc/passwd file to support the trust account; there is no need to create a home directory or assign a shell to the "user" because the only part we are interested in is whether a login is permitted. Therefore, we can create a "dummy" account with the following entry:
bobrulz$:*:1000:900:Trust Account:/dev/null:/dev/null

Note that we have also disabled the password field by placing a * in it. This is because Samba will use the smbpasswd file to contain the password instead, and we don't want anyone to telnet into the machine using that account. In fact, the only value other than the account name that is used here is the UID of the account for the encrypted password database (1000). This number must map to a unique resource ID on the NT server and cannot conflict with any other resource IDs. Hence, no NT user or group should map to this number or a networking error will occur.

Next, add the encrypted password using the smbpasswd command, as follows:

#

smbpasswd -a -m bobzrulz
Added user bobrulz$
Password changed for user chimaera$

The -m option specifies that a machine trust account is being generated. The smbpasswd program will automatically set the initial encrypted password as the NetBIOS name of the machine in lowercase letters; you don't need to enter it. When specifying this option on the command line, do not put a dollar sign after the machine name - it will be appended automatically. Once the encrypted password has been added, Samba is ready to handle domain logins from a NT client.

--> Taked from Using Samba, O'Reilly

I've already done all that. That's the manual way. I've also done it the automatic way. I can't remember how (I was reading a tutorial) but basically the Windows box attaches as root and creates the account itself. Both ways work. It says "Welcome to the FREAKS domain." But no one can log in after I restart. Thanks anyway for that long *** tutorial though.

Whoo hoo! I finally got it fixed. As someone on the mailing list told me to do, I made a small change to /etc/pam.d/samba and it works now. Windows 98, NT 4, and 2000 all log into the domain. I'm a happy man.

What was the fix? I would like to know. :)

Thanks

Wildfox

Edit your /etc/pam.d/samba file from this:

auth required pam_unix.so nullok
account required pam_unix.so

to this:

auth required pam_unix.so nullok
account required pam_permit.so