Last night I tried to set up Samba as a PDC on my network. Before that Samba was working fine in most regards. I could see shares both on and from the Samba box. There were some browsing issues, but that's not really related to this. Bottom line is that it worked.
So, I added the netlogon share and the domain logons = yes line to my smb.conf file and then tried to add my xp computer to the domain. I added the computer name with a $ on the end to my passwd file, and then smbpasswd -a -m <computername>. Then I went into the network identification and changed to the domain and clicked okay. It wouldn't accept any of the passwords including my user password and the computer username/pw. So I had to try adding root. I used root and it worked.
Then when I rebooted the computer, I changed the logon to domain logon instead of computer logon and put in my username and password and it said that there wasn't a domain to authenticate.
All of this sparked several questions in my mind. Some of these questions were about things I thought I had a strong grasp on, but obviously don't.
1) Why did the computer authenicate successfully to join the domain, but not to log on to it?
2) How does a samba user have "root access" to a Linux computer?
3) Is there a corrolation between the samba password and the Linux username's permissions? If not, how do you determine permissions except on by-share basis?
4) Could you have a Samba username without a matching Linux username?
5) What is the purpose of the computer account if you have to log in with a normal username?
6) How do you distinguish Samba usernames that are members of the domain, and ones that are not?
7) How do you restrict shares to members of the domain only? After I failed to log onto the domain, I logged on to the computer and could still access the same shares. I just was denied the right to browse the domain.
If any of these questions need clarification, please say so. I wrote this haphazardly, and I'm sure it's confusing... because I'm sure as heck confuse!