The Special Case of Windows 9x/Me
A domain and a workgroup are exactly the same in terms of network
browsing. The difference is that a distributable authentication
database is associated with a domain, for secure login access to a
network. Also, different access rights can be granted to users if they
successfully authenticate against a domain logon server. Samba-3 does this
now in the same way as MS Windows NT/200x.
The SMB client logging on to a domain has an expectation that every other
server in the domain should accept the same authentication information.
Network browsing functionality of domains and workgroups is identical and
is explained in this documentation under the browsing discussions.
It should be noted that browsing is totally orthogonal to logon support.
Issues related to the single-logon network model are discussed in this
section. Samba supports domain logons, network logon scripts, and user
profiles for MS Windows for Workgroups and MS Windows 9x/Me clients,
which are the focus of this section.
When an SMB client in a domain wishes to log on, it broadcasts requests for a logon server. The first one to
reply gets the job and validates its password using whatever mechanism the Samba administrator has installed.
It is possible (but ill advised) to create a domain where the user database is not shared between servers;
that is, they are effectively workgroup servers advertising themselves as participating in a domain. This
demonstrates how authentication is quite different from but closely involved with domains.
Using these features, you can make your clients verify their logon via
the Samba server, make clients run a batch file when they log on to
the network and download their preferences, desktop, and start menu.
MS Windows XP Home edition is not able to join a domain and does not permit the use of domain logons.
Before launching into the configuration instructions, it is worthwhile to look at how a Windows 9x/Me client
performs a logon:
The client broadcasts (to the IP broadcast address of the subnet it is in)
a NetLogon request. This is sent to the NetBIOS name DOMAIN<1C> at the
NetBIOS layer. The client chooses the first response it receives, which
contains the NetBIOS name of the logon server to use in the format of
1C name is the name
type that is registered by domain controllers (SMB/CIFS servers that provide
the netlogon service).
The client connects to that server, logs on (does an SMBsessetupX) and
then connects to the IPC$ share (using an SMBtconX).
The client does a NetWkstaUserLogon request, which retrieves the name
of the user's logon script.
The client then connects to the NetLogon share and searches for said script.
If it is found and can be read, it is retrieved and executed by the client.
After this, the client disconnects from the NetLogon share.
The client sends a NetUserGetInfo request to the server to retrieve
the user's home share, which is used to search for profiles. Since the
response to the NetUserGetInfo request does not contain much more than
the user's home share, profiles for Windows 9x clients must reside in the user
The client connects to the user's home share and searches for the
user's profile. As it turns out, you can specify the user's home share as
a share name and path. For example,
If the profiles are found, they are implemented.
The client then disconnects from the user's home share and reconnects to
the NetLogon share and looks for
CONFIG.POL, the policies file. If this is
found, it is read and implemented.
The main difference between a PDC and a Windows 9x/Me logon server configuration is:
Password encryption is not required for a Windows 9x/Me logon server. But note
that beginning with MS Windows 98 the default setting is that plaintext
password support is disabled. It can be re-enabled with the registry
changes that are documented in
System and Account Policies.
Windows 9x/Me clients do not require and do not use Machine Trust Accounts.
A Samba PDC will act as a Windows 9x/Me logon server; after all, it does provide the
network logon services that MS Windows 9x/Me expect to find.