University of munich / Department of CS(Informatik) / Communication systems

TechNote / Networking: Integration of WinNT and Unix

Project: MNM / Fopra

Author: Alexej Kupin

Date: 30/11/99

Description:

This document contains a description of my experience with Samba
and will show you step by step how to install, setup and use
Samba and Samba as PDC. You will find here many solutions
(e.g. NIS-password synchronisation, server-profiles,etc...)

Additionally this report gives you an overview of existing solution
for integration of Windows & Unix-systems in one LAN.
It is impossible to say which of the described solutions is the best,
because it depends on your already existing environment.

Context

0) Conclusion(Let's start from the end!)

a) My Project
b) Managment in Windows/Unix mixed environment
c) Why use Samba

1) Overview of existing solutions

(for integration of Windows & Unix-systems in one LAN.)

a) Terminal Server solution
b) WinNT-Server as PDC
c) Unix-DC(NIS/YP) with WinNT-Clients
d) NFS/SMB-Gateway(Samba as Fileserver)
e) Samba as PDC on NIS-DC

2) Install Samba

a) Get Samba source
b) Build Samba
c) Problems

3) Configure Samba

a) smb.conf
b) start smbd/nmbd
c) smbclient
d) netlogon
e) Printing
f) Problems

4) Samba NT Domain PDC support

a) Setup Samba as PDC
b) User profiles(Roaming profiles)
c) Password synchronisation:Samba-Unix
d) About passwords & security
e) Problems

0) Conclusion

a) My Project:

My task was to integrate WinNT/95-Clients into an existing UNIX-network.
For my environment I chose Samba as PDC on NIS-DC(see below).
I have maintained this project over one year.
I frequently updated Samba and tried all versions from V2.0.0 to V2.0.6
For test it runs on Linux(suse6.0), for prod on HP-10.20

My primary goal was:
To find an easy way for configuration and administration of
WinNT-Unix mixed environment(e.g. one passwordsystem!)
Additionally: the existing NIS-system should be the master for accounts.

At the end of the project the Samba-choice was a success,
although the remote-administration with Samba is in the future...

b) Management in Windows/Unix mixed environment

 I found that there is no ideal solution for the Integration of Windows and
Unix systems in a LAN. You have to choose between complex
User-Administration and complex Software Configuration
(for distributed SW or remote Administration).
Additionally you have to choose which of the systems will dominate
(Domain-Master: WinNT-PDC or Unix-DC, File System Win-SMB or Unix-NFS)

Problem: For management of Windows Clients you will need tools,
which are expecting WinNT as PDC. If you have WinNT as PDC you
will have more than one user management system,
because the Password systems are not compatible.

It is impossible to say which of the described solutions is the best,
because it depends on your already existing environment.

c) Why use Samba:

i) In many cases there is already an Unix-Network and we want to
add some WinNT/95/98 - Clients in order to give users access to "MS-World"...
ii) It seems that Samba-solution doesn't require any additional Software installations
for an WinNT-Client, which is going to UNIX-Network!

Keep im mind:
Samba as PDC runs on Unix, while WinNT as PDC does not!
That's mean that you can use Unix-goodies(like scripts, rlogin) with Samba-PDC.
Example:
In the worst case we have 3 password systems(NIS/YP & WinNT-PDC & smbpasswd)!
Samba-PDC Solution:
  • No WinNT-Server as PDC. (-> Only NIS & SMB-Passwords left)
    Samba do "oneway" password synchronisation (Win->Unix) via "smbpasswd",
  • Synchronaize NIS & SMB-Passwords (-> Only one user password left)
    You can use "symbolic link" or "allias" to let "passwd" point to "smbpasswd" too!
    •
    Samba-Pros:
    Samba is freely available
    Samba is a good NFS/SMB-Gateway -> good as File-Server(to mount home-dir)
    Samba can be a PDC for your Win-Clients and replace an expencive WinNT-PDC.
    Samba-Cons:
    remote Administration with Samba is in the future
    PDC functionality is not completly implemented(RPC-Calls)
    Samba Documentation is not well organized and updated
    (This is the reason why I am placing this document in the Web)

    1) Overview of existing solutions

    (for integration of Windows & Unix-systems in one LAN.)

    a) Terminal Server solution

    Note: This is not a "real" System-Integration, because both systems exist independently.

    i) Unix-terminal on a WinNT(e.g. "Exceed")

    Emulation of Unix-Terminal on WinNT-Workstation

    ii) WindowsNT Terminal Server

    Emulation of WinNT-Desktop on a Unix-Workstation

    Description:

  • Resource-sharing: none (File sharing via FTP)
  • Configuration: Separate WinNT & UNIX - user accounts & software
  • Administration: Maintaince of two independent systems

    • Links:

  • Exceed-Software: from Hummingbird Communications Ltd.
  • Windows Terminal Server: from Microsoft

    b) WinNT-Server as PDC

    Note: WinNT-Server as PDC(Primary Domain Controller).
    + WinNT Services AddOn Pack for Unix
    + WinNT Services AddOn Pack for Administration(Zero Admin Kit)

    Description:

  • Resource-sharing: yes (Filesystem=NFS)
  • Configuration: One way password synchronisation(WinNT->Unix)
  • Administration: via ZAK(Zero Administration Kit) is possible...

    • Links:

  • DiscShare-Software: from Intergraph.
  • AddOn Packs: from Microsoft

    c) Unix-DC(NIS/YP) with WinNT-Clients

    Note: NIS/YP-Server as DC(Domain Controller).
    + Each WinNT-Client use a Client-software for accept NFS & NIS-Passwords

    Description:

  • Resource-sharing: yes (Filesystem=NFS)
  • Configuration: One passwordsystem(NIS/YP).
  • Administration: Copy of WinNT-partition makes it easy to restore WinNT-Workstation!

    • Links:

  • Free-Software(NISGINA): from Nigel Williams
  • Business-Software(Chamaleon32NFS): from NetManage

    d) NFS/SMB-Gateway(Samba as Fileserver)

     Note: WinNT-Server as PDC(Primary Domain Controller) for Win-Clients
    + NIS/YP-Server as DC(Domain Controller) for Unix-Clients.
    + Samba-Server to accept NFS(and smbpasswd for checking NIS-Passwords)

    Description:

  • Resource-sharing: yes (Filesystem=NFS/SMB)
  • Configuration: In the worst case 3 passwordsystem(NIS/YP & WinNT-PDC & smbpasswd)!
  • Administration: via ZAK(Zero Administration Kit) is possible...

    • Links: SMB-Server samba

    e) Samba as PDC on NIS-DC

    Note: Samba-Server as PDC(Primary Domain Controller) for Win-Clients
    + NIS/YP-Server as DC(Domain Controller) for Unix-Clients.
    Note the difference from 4): Samba as PDC, not WinNT-Server as PDC!

    Description

  • Resource-sharing: yes (Filesystem=NFS/SMB)
  • Configuration: fancy, but works!
  • Administration: Copy of WinNT-partition makes it easy to restore WinNT-Workstation!

    • Links: Just read ahead!

    2) Installation of Samba

    Caution! If you are using Samb you have to think twice, before you start to work with it!
    Before you will get Samba source and before you start the Installation procedure,
    you need to be sure for what you want to use Samba(e.g. Samba as PDC or just File-Server?)
    and what is your current environment
    (e.g. do you have "NIS/YP",are you using "automount" or "shadow-passwords"?)
    I will try to describe the installation-procedure step by step.
    Your first step is most important: Get the right Samba source!

    a) Get Samba source

    If you are reading Samba's Mailing-List for the first time,
    you will easilly get confused with names like "HEAD-version",
    "CVS-source", "NT_DOM-branch" and so on...

    The truth is that there is more than one Samba-version :

  • Official Samba release Version(current 2.0.6),
    which you can directly download from the Samba-Server(People say: "ftp-" or "http-" version)

  • Current working version: which you can download via CVS-system
    (People say: "HEAD-version","CVS-source","NT_DOM-branch"),
    this version have some "branches" for special requirements(like PDC-support).

    If you aren't careful you will download the "ftp-Version" and you may not
    realize until days later that you are working with the "wrong" version of Samba!
    (Example: "Why User-Domain Manager respond with: RPC-Call exception?")

    Anyway, what you really want to know is how to get the right version:

  • Official Samba release you can download directly from your web-browser(via ftp or http)
    This version makes Samba to File-Server(e.g. NFS/SMB-Gateway) and additionally you can use it as Logon-Server or Profile-Server for your Windows-Clients.

  • Current working version:you can access via CVS, see http://cvs.samba.org/cvs.html
    For example: download the latest Samba Domain Controller source code
    Obtain a recent copy of the cvs client binary(available from ftp://download.cyclic.com/pub/).
    Then run the following command: "cvs -d :pserver:cvs@samba.org:/cvsroot login"
    when you are prompted for a password, enter 'cvs' without the quotes.
    Then run the command: "cvs -d :pserver:cvs@samba.org:/cvsroot co samba"
    To update your source code run the command: "cvs update -d -P"

    b) Build Samba

    However you've gotten your copy of Samba, now you need to install it properly.
    The second step is as important as the first: Installation Options!

    In the original Samba documentation you can find :
    "first run the program ./configure in the source directory.
    This should automatically configure Samba for your operating system.
    If you have unusual needs then you may wish to run ./configure --help
    to see what special options you can enable. Then type "make". This will create the binaries."

    The truth is, every Unix-System is unusual!

  • Before run "./configure" Check your environment and then run ./configure --help
    Examples, for what is "unusual" see below:
  • NIS+ or PAM password database
  • if your system use "automount"
  • if your system use AFS, DFS or SSL -support
  • and more...
    • PS: You may need to change mode of ./configure to executable. (chmod +x ./configure)
  • Before run "make","make install"
    In the Samba mailing list you can find some expressions like this:
    "We have to compile the Samba-suite with -Wshadow"

    The truth is, you may need some options for the make-procedure

    It means you may need to set some environment flags like:
    "export CFLAGS= -g -Wall -Wshadow" or "export LDFLAGS= -lnls"
    Example: To compile Samba for a system with "shadow-passwords"
    You have to set "export CFLAGS= -Wshadow" into your environment.
    At this point it is impossible to say if you need some flags for your environment.
    Unfortunately I didn't find any documentation about it...
    You may wish to run "make --help" to see the make options.

    c) Problems so far...

    - Make-procedure can stop with error message...
    (For example some of the C-Libs weren't available in system
    Solution: I copied those libraries from distribution pack)

    - Make-Procedure stop without Messages or never stop
    (Well it was funny, my local-date was 1989,
    and that caused this behavior! It may happen in your system after Y2K?!)

    3) Configuration of Samba

    a) smb.conf

    The configuration of Samba is done by the smb.config file.
    Here you can put all necessary parameters.
    The configuration depends on your environment and your Samba-purpose
    There are many documents which describe the settings for this file, but

    my goal is to show you some examples:

  • First few steps
  • Setup smbpasswd/smbclient
  • Setup simple netlogon
  • Setup printer
  • Setup Samba as PDC
  • Setup roaming profiles
  • Setup password-synchronisation
  • About passwords & security

    First few steps:

    First you have to create your smb.conf file,
    or copy "smb.conf.default" from the ./examples to your ./lib.
    I suggest you have a copy of "smb.conf.default" change it:

    Main-Section:[global] Samba-Server global or default parameter setting

    workgroup= YourGroup
    server string = YourSambaServer
    host allow = 127.198.245., localhost ,and any host you want to allow
    security=user
    encrypted passwords=yes
    // If problemson -> Try "security=share" and "encrypted passwords=no"

    Other-Sections: describes a shared resource (known as a "share")

    [homes] use for services, which connects clients to their home directories.

    For this first example we want to try "smbclient //yourhostname/user -U user"
    [homes]
    guest ok = no
    read only = no
    [netlogon] use for logons to the shared directory(e.g. connect to the SW-Archive)

    [profiles] use for server-stored profiles(roaming profiles).
    There you can set the profiles-share options.

    [printers] use to connect to any printer specified in the local
    host's printcap file. This share MUST be printable(e.g. printable=yes)

    b) start Samba(smbd/nmbd)

    After you're done editing smb.conf you may test it with ./testparm
    For the first time it will be easy for you to start Samba with:
    /usr/local/samba/bin/smbd -D
    /usr/local/samba/bin/nmbd -D
    (You may create a start script for this action)
    To kill it, send a kill signal to the processes nmbd and smbd.

    c) smbclient

    now we can test Samba with: "smbclient //yourhostname/user -U user"
    First time run everything as root-user!
  • Generate the smbpasswd file from your /etc/passwd file: cat /etc/passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
    For NIS use:
    ypcat passwd | mksmbpasswd.sh >/usr/local/samba/private/smbpasswd
    For NIS this will create valid users but no passwords -> Create user password with:
    smbpasswd -U username
  • Set permissions and owner of the /usr/local/samba/private to root:
    chmod 500 /usr/local/samba/private
  • Set permissions and owner of smbpasswd file the private directory to root:
    chmod 600 smbpasswd
  • Then enable a valid user:
    ./smbpasswd -e username
  • Finally you can login to Samba:
    ./smbclient //yourhostname/user -U user
    • Problems so far...

    d) Netlogon

    Once we can logon to Samba with "smbclient", we can try a netlogon from a Windows-Client
    You can use of course the share from last example, but let us define a netlogon-share:
    "//yourhostname/netlogon", which will be defined in [netlogon] section.
    NOTE: If you use "plain"-passwords, you have to set Windows-Client to accept "plain"-passwords.
    Get more information about "passwords" & "security" here
  • Create an account on Unix-box for Win-PC (MACHINE$-Account)
    For example: my WinPC name is Apollo13, then for passwd use:
    UserID=Apollo13$
    password=apollo13
     NOTE: Password=name of machine in lowercase!
  • Add this account to smbpasswd:
    ./smbpasswd -a -m Apollo13$
    ./smbpasswd -e Apollo13$
  • Enable [netlogon] section in smb.conf
    [netlogon]
    comment = Network Logon Service
    path = /usr/local/samba/lib/netlogon
    guest ok = Yes
  • You may need to create a directory specified in the netlogon-share:
    ../samba/lib/netlogon
  • At this point I restarted Samba and then WinPC
    Then you may check, if netlogin-share is available:
    ./smbclient //Apollo13/netlogon -U user
  • Finally you can login to Samba from your Windows-PC:
    Explorer->Connect Drive:
    path=//Apollo13/netlogon
    user= valid user
  • You may want to mount your homedir from your Windows-PC:(last example)
    Explorer->Connect Drive:
    path=//Apollo13/user1
    user=user1
    • Problems so far...

    e) Printing

    If you enable the print-share Samba will receive the file
    from the PC and will pass it to an external "print command".
    What print command you use depends on your environment.

  • Printing parameters(in [Global]-section): load printers=yes
    print command = lpr -r -P%p %s
    lpq command = lpq -P%p
    lprm command = lprm -P%p %j
    printer name = "your printer"
    printer driver =
    printer driver location=
    printer driver file=usr/local/sambe/lib/printers.def
    printcap name= /etc/printcap
  • Then you need to enable [printers]-section: [printers]
    path=/usr/local/samba/printer
    public=yes
    writable=no
    browseable=yes
    printable=yes
  • Configure your printer
    It is well described in the original Samba-documentation: printing
  • You may need to install the driver for your specific printer.
    It is well described in the original Samba-documentation: driver

    f) Problems so far:

    Please note: at this point many things can cause problems,
    it depends on your environment, your OS, Samba-Version
    Many solutions can be found in samba-mailing list

    Here are the problems, which I had and some from Samba-Docu:
  • "Network is not available" -> basic network problems(Try ping!)
  • "BAD password...." -> Check User|Mashine account in passwd|smbpasswd(user needs to be enabled!)
  • smbclient works fine, but you can't login from Win-Client -> Check if your Win-Client is using NetBEUI-protocol, if yes->remove/disable it!
  • You can connect to samba, but you can't disconnect ->look in mailing list, there you will find a couple reasons/solutions
  • Some Unix/Linux-Distribution dislike "$" in UID ->create UserID=MyWinPC and add "$" manual in passwd!

    4) Samba NT Domain PDC support

    a) Samba as PDC

    Note: Samba as PDC works only with encrypted passwords and
    also you need to set "security=user" in your smb.conf
    Additionally check your Version of Samba

  • First you need to create MACHINE$ for each Windows-PC (see description above).
  • Tells workstations to use SAMBA as its PDC. Set up domain logons = yes in your smb.conf
  • At this point I restarted Samba and then WinPC
    Then you may check if your home-share is available: ./smbclient //Apollo13/user -U user
  • Now you need to tell WinPC to use Samba as Domain Controller: In the Network Settings, change the domain to "YourGroup"
    (which is taken from smb.conf: workgroup= YourGroup)
    You should get the message: "Welcome to the YourGroup Domain."     If you don't, then check again all steps above and see also Problems so far...

    Letīs say you can login into your Samba-PDC, now you may want to set Server stored profiles.

    b) Roaming profiles

     First you need to choose: i) One standard-profile for everyone(without update profile)
    ii) One profile for each user(with/without update profile)
    iii) Mixed solution
    (for example students(standard)/stuff(individual)-profiles)     Then you need to choose where to store the remote-Profile: i) In a Profile-directory on the Samba-Machine
    ii) In every User-Homedir
    iii) In a separate profile-server Machine     For my environment I chose: - One profile for each user
    - User is allowed to modify its profile(=update profile)
    - Profile will be stored in user Home-dir     PS: I tested it only with WinNT-Clients see more details on Win95 here

    On WinNT-client (You have to be a local Administrator!):
    Note: You may want to set the "root"-user to be an Administrator on each WinPC.
    See Samba documentation for more details here

  • Create local a standard profile(for first logon) Via: Programms->Administration->UserManager->New user
  • Copy local Profile to remote profile on Samba-Machine Via: Settings->System->UserProfile->Change Type->copy/remote On Samba Machine(You have to be root!):

  • In smb.conf Enable [Profiles]-Section:
    if you want profiles in user home-directory: path=/home
    if you want profiles in separate "profile" directory:
    path=/usr/local/samba/profiles (+ You have to create it!)
    set writable=yes (=update profile allowed)

    In [Global]-Section:
    set logon path=\\%N\Profiles\%U
    Note: You may want to use a per user or per maschine logon script
    (Because of CR\CN: write this script under Windows and then copy it to Unix!)
  • Distribute standard-profile to all users you can write a "distribute to all"-script or
    a "user's first logon"-script for this job !
    Otherwise, just copy it by hand...
    Note:
    Do not forget to change protection/ownership
    of the user profile-dir's, NTUSER.DAT(or USER.DAT),
    and "username".pds to user!
     If it doesn't work, then check again all steps above and see also Problems so far...

    c) Samba-Unix(NIS) password synchronisation

    Samba offers a "one way" synchronisation for the passwords(Samba->Unix)

    [Global]-Parameters:
    (in your smb.conf - file)
    unix password sync = yes|no
    passwd program = (path + your passwd or yppasswd program)
    passwdchat = (I/O - Syntax of your passwd-program)

     Settings:
    (passwd for root on the Samba-machine)
    unix password sync = yes
    passwd program = /bin/passwd %u
    passwd chat = *pass* %n\n *pass* %n\n *suc*

     The trick: "two way" password synchronisation
    Once you set the "one way" synchronisation for the passwords (see below),
    You can use "symbolic link" or "alias" to let "passwd" point to "smbpasswd"!

    Problem: it works only for User "root" on the Samba-machine
    If you are using NIS or you are not "root" this wouldn't work,
    because passwd or yppasswd requires an old-password in plaintext.
    By using SMB Encryption(see below) Samba is unable to send plaintext passwords
    over the network and your passwd/yppasswd will fail...

    Solution: NIS-Samba passwords synchronisation
  • Run Samba on your NIS-Machine
  • Use passwd+make instead yppasswd for your password program
  • On Unix-Clients let passwd/yppasswd point to local smbpasswd-client

    in this case your "passwd"(for "root-user") won't ask you for the old-password.
    Disadvantage of "passwd" is the make-procedure which must be run after each passwd,
    but you can run it automatically if you add "make"-command to "passwd program"-parameter!
    (PS: please check, that your make-program does not create a temporary passwd-file
    To verify this: if you can change a test-user password(using passwd+make) twice->you are fine)
    Last step: smbpasswd-client can do remote authentification.
    On each Unix-Client let passwd/yppasswd point to local smbpasswd-program and for smbpasswd
    program you need to set location of your samba-password server(your Samba/NIS-Master).
    See smbpasswd documentation for more details.

    Examples

  • My settings(for HP-UX10.20)
    unix password sync = yes
    passwd program = /bin/passwd %u; make /var/yp/passwd
    passwd chat = *pass* %n\n *pass* %n\n *updated* *pushed*

  • Others settings(for sunos 5.5)
    unix password sync = yes
    passwd program = /bin/passwd -r files %u; cd /var/yp; make passwd
    passwd chat=*New/spass:* %n\n *new/spass:*%n\n*updated/spas*.*pushed/spass*
  • My settings(for local Linux-suse)
    unix password sync = yes
    passwd program = usr/bin/passwd %u
    passwd chat = *pass* %n\n *pass* %n\n *suc*
  • More examples you can find in Samba NT_DOM mailinglist
    If it doesn't work, then check again all steps above and see also Problems so far...

    d) About passwords and security

    (Some of this information I found in Samba-documentation)

    [Global]-Parameters:
    security= share|user|server (in the most cases = user)
    encrypt passwords=yes|no(in the most cases = yes)

    Settings:
  • For plain passwords(I've tested, it works fine): security= share
    encrypt passwords=no
    each Windows client have to be setup to access plain passwords
    See Samba documentation for more informations.
  • For Samba PDC-support: security= user
    encrypt passwords=yes
    otherwise it wouldn't work!
     Problem:
    The unix scheme typically sends clear text passwords over the network
    when logging in. This is bad.
    The SMB encryption scheme never sends the cleartext password over the
    network but it does store the 16 byte hashed values("password equivalent"!)
    on disk. This is also bad.

    Note:
    Windows NT 4.0 Service pack 3 changed the default for permissible
    authentication so that plain-passwords are *never* sent over the wire.
    You will find that it is easy to use Samba with "encrypt passwords=yes".
    For password-synchronisation see the Chapter above.

    Advantages of SMB Encryption:
    - plain text passwords are not passed across the network. Someone using
    a network sniffer cannot just record passwords going to the SMB server.
    - WinNT doesn't like talking to a server that isn't using SMB
    encrypted passwords. It will refuse to browse the server if the server
    is also in user level security mode. It will insist on prompting the
    user for the password on each connection, which is very annoying.
    The only thing you can do to stop this is to use SMB encryption.

    Advantages of non-encrypted passwords
    - plain text passwords are not kept on disk.
    - uses same password file as other unix services such as login and ftp
    - you are probably already using other services (such as telnet and ftp)
    which send plain text passwords over the net, so not sending them
    for SMB isn't such a big deal.

    e) Problems so far...

    Please note: at this point many things can cause problems,
    it depends on your environment, your OS, Samba-Version
    Many solutions can be found in samba-mailing list

    Here are the problems which I had and some from Samba-Docu:
  • Win-Client can't find Samba-PDC
    -> Check if your Win-Client is using NetBEUI-protokoll, if yes->remove/disable it!
  • Win-Client-Message: unable update remote profile
    -> Client-time is not synchronized.(Use: net time \\MyPDCserver /set /yes) or
    logon path should be writable and browsable by the current user
    User needs permission/ownerchip of his profile files!
  • No remote profile found
    -> Check if logon-path & path in [Profiles] are set correctly
    and are writable and browsable by the user
    "username".pds - file is not available!
    Last Modified: 30.11.99 1999 Alexej Kupin