I finally got it working!

Here is my situation:

All of the PC's on our (former) Workgroup are running Windows 2000 SP2 and I built a server running Mandrake Linux 8.1.

My task:

Make the Linux box a PDC for the Windows 2000 PC's to log into. Eventually set up email and a web server on the Linux box as well.

How I did it:

First let me say that I went through several HOW-TO's and several newsgroups much like this one and they helped a lot... but they all left out the one important final (at least in my case) step that would enable me to log into the PDC from Windows.

I installed Linux from the Mandrake CD's that I purchased on-line. I purchased the "server suite" from Mandrake and found out (on my own... no one ever mentioned it, not Mandrake's support, not the documentation, etc...) that I needed to install Mandrake using the 9th CD in the package entitle "Mandrake Server CD".

If you are trying this yourself and you went through the trouble of buying Mandrake, I highly recommend you install it that way.

I installed all of the options that were available and pertinent to what I wanted to accomplish EXCEPT for SAMBA.

I then downloaded the latest SAMBA (v.2.2.4) and installed it. I did it this way because when I attempted to upgrade my previous intallation... it just wouldn't work. Period.

So now SAMBA was running on my Linux box... now for the fun stuff.

I edited my /etc/samba/smb.conf file to look like this:

[global]
#Basic server settings
workgroup = mydomainname
netbios name = myservername
server string = Primary Domain Server running SAMBA %v
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192


#PDC and master browser settings
os level =64
preferred master = yes
local master = yes
domain master = yes
domain logons = yes
dns proxy = no

#Security and logging settings
security = user
encrypt passwords = yes
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*success fully*


add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u


# Domain groups:
domain admin group = root @adm

#============================ Share Definitions ==============================
[Projects]
comment = Project Folders
path = /data-1/projects
browseable = yes
guest ok = no
writable = yes
create mask = 0777

[Temp]
comment = Temporary Swap Space
path = /data-1/temp
browseable = yes
guest ok = no
writable = yes
create mask = 0777

[Acct]
comment = Accounting Information
path = /data-1/acct
valid users = @Supervisor @adm
writable = yes
public = no

[Main]
comment = Main Directory
path = /data-1
valid users = @adm
writable = yes
public = no

[Apps]
comment = Applications
path = /data-1/apps
public = yes
writable = no
write list = @adm

[Archive]
comment = Archived Projects
path = /data-1/archive
public = yes
writable = no
write list = @adm

[Lib]
comment = Electronic Library
path = /data-1/lib
public = yes
writable = no
write list = @adm

[homes]
comment = Home Directory for %u
path = /home/%u
browseable = no
writeable = yes

[netlogon]
comment = Network Logon Service
path = /etc/samba/netlogon
guest ok = yes
writable = no

(small side note: if you're trying to do this yourself, you can easily copy my smb.conf file and make whatever changes you need. I have a hard drive mounted on my system as "data-1" and that's where most of my shares are. If all you do is copy this smb.conf file and put it in place you will have a PDC called "myservername" on the "mydomainname" domain... try to be a little more creative than that )

I could explain what all of that stuff means but I would, instead, recommend that you check out Building and Configuring a SAMBA PDC brought to you by the lovely folks at IBM... the best tutorial out there as it explains almost every entry needed.


I restarted the SAMBA server and voila! I had a SAMBA PDC!

Now I just had to get those Windows 2000 machines to log in... and this is where I hit a roadblock.

I followed the instructions in the Samba HOW-TO Collection for integrating Windows networks with SAMBA.

I added my username as well as the usernames of the rest of the employees by doing the following in Super User mode:

# useradd −s /bin/bash −d /home/"userid" −m "userid"
# passwd "userid"
Enter Password: <pw>

# smbpasswd −a "userid"
Enter Password: <pw>

Now, according to all of the documentation I could find I should be good to go.

I have my /etc/samba/smb.conf set up to automatically create the machine accounts when a computer joins the domain for the first time so I should be able to hop over to my W2K machine and log in, right?

WRONG!

I could see the shares in Network Neighborhood and I could even map them as drives but I couldn't actually "join" the domain. Every time I tried I would get an error message that either said:

"Cannot join domain, the credentials supplied conflict with an existing set"

or

"Invalid username or password"

The reason for the first error?

Remember how I said that I could see the available shares and even map to them? That's the error message you're going to get as a result of doing just that... having a connection to the domain in any way while trying to create your machine trust account.

When you first log into your SAMBA PDC you will create a "machine trust account" for the machine that you are logging in from. This is different from the "machine account" that you either set up manually or, if you're using a configuration like mine, made "on-the-fly". Simply put, SAMBA requires it.

The reason for the second error?

It took me a while to figure it out but this is what I learned:

In order to create a "machine trust account" with SAMBA you have to join the domain (first time only) with a root-level login/password. I learned that from one of the users here on this forum.

I tried using my "root" account on my Linux box to join the domain but still got the same error message... so what gives?

Actually... when you first join the domain you do have to use a root-level login/password... a SAMBA root-level login/password!

So I went back into Super User mode and did the following:

# smbpasswd −a root
Enter Password: <pw>

I used the same password as my "root" user in Linux and you know what happened next?

I was able to successfully join all of my Windows 2000 machines to my new SAMBA PDC!


Things I learned along the way:

If you want to disable the roaming profiles leave out the [Homes] section of your /etc/samba/smb.conf or, in Windows 2000, right-click the "My Computer" icon, select "Properties" and select the "User Profiles" tab. Select the users name and click on the "Change type" button. Choose "Local Profile".

Whatever you do, don't give your Domain the same name as your Workgroup... it won't work. Period. If you absolutely have to use the same name, change the workgroup name on the machine you are trying to join with first... reboot... then join the domain.

Diet Pepsi goes flat in about 10 minutes... so drink it fast.

If you are going to use roaming profiles, a good policy to implement is to have your users keep a minimal amount of information in their "My Documents" folder and don't put folders full of information on the desktop. Also keep the "Temporary Internet" folders clean. User profiles will send all of the junk you have piled up in your "C:\Documents and Settings\userid" folder to the server when you log out and if you log in from a different machine it will send all of that junk to the new machine. If you have a bunch of crap in those folders it could take quite a while. I had one user who had nearly 300MB of crap in his "My Documents" folder alone... took nearly 15 minutes to log out (oh wait... that was me )

[ 17 June 2002: Message edited by: Nivuahc ]