The SAMBA-LDAP-PDC Howto

12

Revision : 1.24

Workstations integration

12.1

Microsoft Windows 95 and 98

TODO

12.2

Microsoft Windows NT

TODO

12.3

Microsoft Windows 2000 and XP

TODO: use the W2K requester, using a domain admin group member account.
NICE: screenshots.
12.3.1

RequireSignOrSeal

This registry key (gathered from the Samba-tng lists) is needed for Windows 2000 and XP
clients to join and logon to a Samba domain :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
"RequireSignOrSeal"=dword:00000000
You can change this in the Local or Domain policy editor in Windows 2000.
12.3.2

Fake user root

To allow Microsoft Windows 2000 and XP workstatin to join the domain, a root user must
exit (uid=0) and be used when joining a client to the domain 15 .
To create this false user (false because the user root should be present on you’re system files,
not in LDAP), just issue the following commands:
smbldap-useradd.pl -a -m -g 200 root
smbldap-usermod.pl -u 0 -g 0 root
smbldap-passwd.pl root
This workaround permit to avoit the creation of this fake user root, but permit a massive
security hole if used as Samba have no real access control on passdb backends :
15

a workaround/patch exist but will permit a massive security hole if used

page 32/56