Possible NT / UNIX integration solutions

• NISGINA NIS authentication for NT
• Unix/NT Integration Software
• Unix -> NT password Integration

• SAMBA

CUSTOMIZING NOTES:

•  Answer files: (unattend.txt) provides unattended answers
•  Specify with /U to winnt command
•  Uniqueness Database Files: (UDFs) Provides unique answers
•  $OEM$ directory (install additional stuff)
•  $OEM$\$$ directory: Reproduce directory tree in and under %windir%. sysdiff can also build this directory. (Does it wipe out stuff we add manually in there?)
•  Sysdiff utility
  • Requires sysdiff.inf, example in resource kit file. Also on NT Workstation CD in support directory.
  • Three steps to implement it:
    1. Create a snapshot file
       sysdiff /snap snapshotfilename
    2. Create a difference file
       sysdiff /diff snapshotfilename difffile
    3. Create an $OEM$ structure and cmdlines.txt file that will alter registry as needed
       sysdiff /diff difffile x:\
       where x:\ is the directory above the $oem$ dir ($oem$ root)
  • Before running sysdiff, must follow steps to prepare the computer for creating a diff file. Refer to the SYSDIFF prep page for these steps.
  • Microsoft Knowledge Base Article on Sysdiff problems
•  To set administrator password automatically, use $oem$\Cmdlines.txt file.
• See http://www.microsoft.com/kb/articles/q158/4/84.htm
• Need to run stuff out of RunOnce registry method because:
  • boot.ini gets altered right up to last reboot. To make changes, use runonce key.
  • Can't share another drive when Cmdlines.txt executes. "No logon session exists" is the error.
  • Setting security on files/dirs during Cmdlines.txt is probably equally as useless. After Cmdlines.txt runs, NT setup "sets security on files."
• Kill install of IE2 and INBOX by editing syssetup.inf (see page 124 of deployment guide for Windows NT)

Service Packs

To extract the service pack files, use the /x switch.

Allow Samba Unencrypted Passwords

HKLM,System\CurrentControlSet\Services\Rdr\Parameters,"EnablePlainTextPassword", 0x10001, 1

NOTE: This violates one of our implementation goals.

Client Notes

Home Directories

Specifying a home directory pointing to samba will NOT work if user is using a netware client. Works fine for standard login, either via account on local machine or home directory assumed through login via a PDC.

Samba smb.conf settings

The settings for above test were...

[global]
   security = server
   password server = pumpkin
   encrypted passwords = yes

It also appears to work if security is set to user, password server is not set and encrypted passwords are set to off -- which is encouraging..

Adding Computer to Domain

10.0.2.15  pumpkin #DOM:BABYLON

Also, a "computer account" for the computer must be created on the PDC before you attempt an install. If this is a reinstall, the old account must be deleted, then re-created. Otherwise the install will fail when it attempts to add the computer to the domain. (This does not apply if it is only being added to a workgroup).

Example:

NET COMPUTER \\COMPUTERNAME /DEL
NET COMPUTER \\COMPUTERNAME /ADD

Roving Profiles

UPDATE: The newsgroup comp.protocols.smb newsgroup reports that adding line "max mux = 50" to [global] section allows roving profiles to work without hanging -- and it works now as advertised!

Profiles can be made mandatory by storing them under \\pdc\netlogon\default.man\ directory.

System Policy Notes

• Stored as NTCONFIG.POL in netlogon share of machine that authenticates the logon.
• This file not automatically replicated to other servers, BDC or otherwise
• Page on NT 4.0 policies
• JSI Inc's NT resource Page. Has utility to run a batch job at boot, before login. We need a way to clean c:\temp out. Either that, or login batch file could do it. (Other useful stuff on this page as well)
• Want to do an auto admin login? Not if the DontDisplayLastUserName key is set to 1 in HKLM\software\microsoft\WindowsNT\CurrentVersion\Winlogon. This one wasted me a day until I figured it out by trial and error.
• If allowing access to control panels, delete the "Settings" tab in the Display panel using policy editor

Control Panels

main, ups, timedate, sysdm, srvmgr, ports, ncpa, modem, mmsys, intl, access, desk (but restrict Settings tab)

Security notes

• ZAK has a script for setting file permissions
  • This script is way too strict and needs to be tamed a bit. For example, it denies access to diskcopy.exe
• ntoskrnl.exe should be set to execute only to prevent a security problem
• Running cacls using sample acls.cmd file is changing acls on files all over the file system, including temporary directory. Perhaps this would be better using the "runonce" key, which should run after the install directory is deleted.
• David LeBlanc, in a newsgroup post, recommends locking down HKLM\Software registry tree, which should make most user software installs fail.
• He also suggests using the key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\userinit to run a process on login that cleans up a lot of temporary and/or user installed files on login.

NISGINA notes

• Follow notes in INSTALL document
• To allow ypset to set to server outside of broadcast net, must run ypbindservice with -ypsetme option and create directory and file named /var/yp/binding/domainname/ypservers and list the yp servers in it. Then ypset can be used to point to an nis server
• Don't know how to make ypset to run before the login prompt.
• Had some troubles getting NISGINA to login to home directory when samba was passing login info to NT
• yp utils do not seem to read NISGINA registry keys when logged in via a non-administrator account. yp clients complain about not being able to contact the domainname that is compiled into NISGINA binaries...
• I'm not crazy about password changes from NT. That would mean no "crack" library would be checked for a good password.
• Big plus of this solution would be lack of need for NT server.