Last night I tried to set up Samba as a PDC on my network. Before that Samba was working fine in most regards. I could see shares both on and from the Samba box. There were some browsing issues, but that's not really related to this. Bottom line is that it worked.

So, I added the netlogon share and the domain logons = yes line to my smb.conf file and then tried to add my xp computer to the domain. I added the computer name with a $ on the end to my passwd file, and then smbpasswd -a -m <computername>. Then I went into the network identification and changed to the domain and clicked okay. It wouldn't accept any of the passwords including my user password and the computer username/pw. So I had to try adding root. I used root and it worked.

Then when I rebooted the computer, I changed the logon to domain logon instead of computer logon and put in my username and password and it said that there wasn't a domain to authenticate.


All of this sparked several questions in my mind. Some of these questions were about things I thought I had a strong grasp on, but obviously don't.

1) Why did the computer authenicate successfully to join the domain, but not to log on to it?

2) How does a samba user have "root access" to a Linux computer?

3) Is there a corrolation between the samba password and the Linux username's permissions? If not, how do you determine permissions except on by-share basis?

4) Could you have a Samba username without a matching Linux username?

5) What is the purpose of the computer account if you have to log in with a normal username?

6) How do you distinguish Samba usernames that are members of the domain, and ones that are not?

7) How do you restrict shares to members of the domain only? After I failed to log onto the domain, I logged on to the computer and could still access the same shares. I just was denied the right to browse the domain.


If any of these questions need clarification, please say so. I wrote this haphazardly, and I'm sure it's confusing... because I'm sure as heck confused! :confused:

Ok Gauge, I'm going to tried to answer your questions as much as I can. Hell, I'm not even totally sure on some of my answers either. Most of my answers are from documents I have read from the net.

1. It's depend on the account you created on your server. The account and password must be the same as smbusername and username for your linux box.

2. I believe this is on the access right on your directory itself. On my server, I could only have full access on my personal directory and read and execute on the other share directories. I created an Admin and User group in smb. So, I could assign which group my users belong to when they login to the server.

3. Not really. But, you want it to. So, it's easier for you to manage the account later. It's easier if the username and smbusername are the same with the same password.

4.Yes.

5. I don't know for sure on this one. I don't use this option on my network. My will requested for username and password when I tried to access a directories on my RH8 server.

6. Don't know

7. Create Admin & user group and assign the right group to the right account.

Like I said before, I'm not totally sure about these answers. One thing I do recommend you do is download "webmin." It make your life lot easier.

Thanks for the reply, cojo. I spoke with my cousin, who is a networking consultant, on the phone last night and got some answers. Most of my questions don't make sense. My definition of a PDC was largely incorrect.

Here are some of the real answers to my questions:

1) I'm not completely sure what happened here. I removed the computer from the domain, deleted the computer account on the Linux box, and tried again. The only thing I did differently is I locked the computer account before I tried to join the computer to the domain again. According to a HOW TO that I was reading, that "creates a secret for the pdc and client computer to share." If anyone can explain this in more real terms, I'd love to hear it.

2) This one I don't know. I have a "root" user account in my smbpasswd file, but I do not know how samba actually realizes that it's my root account. I also have "admin" and "users" groups in samba, but samba doesn't distinguish between the two. As far as samba is concerned they are simply groups 501 and 502. I still don't know how to assign root or admin rights to an account or group. Anyone want to take a stab at this?

3) This is pretty much an extention of question #2. Just refer to what I said there.

4) According to what I have read, the answer to this is no. At the very least, you can't have a MACHINE account in smbpasswd if it's not in /etc/passwd. I would assume that this is true with user accounts as well.

5) The purpose of a computer account is this... When a computer joins a domain, the "password" on the computer account becomes the "secret" (as the howto's keep referring to it) shared between the PDC and the client computer. When the client computer logs onto the domain (regardless of who the user is) it sends this "secret" or password to the pdc verifying that it is not just another computer using the same NetBIOS name.

6) This is where my definition of a domain was off. There are no "members" and "non-members" of a domain per se. If you try to access a share when you're not logged on to a domain, then the pdc will validate your username and password. If you're supposed to have access to the share, then you are granted access. You're not a member of the domain, but with a valid username and password you still have access to all the resources. The only things that don't happen if you're not a member of a domain are the following:

i) You are not given a token which prevents you from having to revalidate every time you access a share.
ii) The computer you are on will not download and run the logon scripts.
iii) You will not use your domain profile. You will use a local one instead.

7) This happened because my local username and password were the same as my username and password on the domain. Thus, refer to question #6 as to why I could gain access to all domain resources.


Now, I, like you, am a little unsure about my answers. This domain controller stuff is counter-intuitive to me, so I could still have some of it a bit wrong. Also, my cousin doesn't know much about Linux, so he was talking about real NT domains. If there are differences between the two, I will have those parts wrong. Could anyone double-check my answers to my own questions and make sure that I have a good idea of what's going on?