Joining NT 4 to a SAMBA Domain Controller

or the Unbridled rage of living on the trailing edge.

I hosted a Porting Party last where where I setup my Dec Alpha as a terminal server allowing people from all over the world to connect in and cross compile software for the 64bit version of Windows for the Dec Alpha. While many problems were overcome, and many more remain, I have to say the most annoying thing was joining a domain hosted by a SAMBA server.

In my mind, I though the easiest way to get files in & out of the Alpha was not to use something like IIS/FTP where it would probably lead to end-less issues with text/binary/active/passive modes, but rather I should rent a VPS, install the OS default SAMBA and just map drives. The benefit of the VPS is that it has a public address, so no NAT is required. The VPS had an option for either CentOS (no) or Debian 10. I went with the Debian, and did an in place upgrade to 11, then 12. Nothing special.

I’d never actually used SAMBA as a domain controller before, but I thought this would be a fun experiment. So the idea is then that the VPS running SAMBA is the Domain Controller, and my Alpha joins it as a member server. Everyone else can use Windows or any SAMBA client and map drives, and then copy files to the VPS, and then copy back and forth from the Alpha to the VPS. This part worked fine.

What didn’t work was SAMBA version 4.

I had come up with this config, based on the fragments of the default config, and and hints from

    netbios name = PDC
    passdb backend = tdbsam
    server max protocol = NT1
    username map = /usr/local/samba/etc/
    workgroup = ALPHAPARTY
    server string = Samba Server
    security = user
    hosts allow =, <<<peoples networks...>>>
    load printers = yes
    log file = /usr/local/samba/var/log.%m
    max log size = 50
    passdb backend = tdbsam
    local master = yes
    os level = 33
    domain master = yes
    preferred master = yes
    domain logons = yes
    wins support = yes
    dns proxy = no
    add user script = /usr/sbin/useradd %u
    add group script = /usr/sbin/groupadd %g
    add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
    delete user script = /usr/sbin/userdel %u
    delete user from group script = /usr/sbin/deluser %u %g
    delete group script = /usr/sbin/groupdel %g
    comment = Home Directories
    browseable = no
    writable = yes
    comment = All Printers
    path = /usr/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes
    comment = share for everyone
    path = /public
    public = yes
    writable = yes
    printable = no
    creaet mask = 0777

I had endless issues with the machine account not being either created correctly or not being authenticated. I tried manually creating it, to no avail. No matter what I tried it didn’t work.

Working with NT 4.0 must be depreciated or something but no matter what I tried IT JUST DIDN’T WORK.

Feeling outraged, I purged the old Samba, downloaded the source code to 3.6.25, built that, and using the same configuration I had tried to put together, it just worked.

Dec Alpha joining the SMB Domain

Adding users was somewhat straight forward:

useradd -M -s /bin/bash neozeed
passwd neozeed
/usr/local/samba/bin/smbpasswd -a neozeed
/usr/local/samba/bin/smbpasswd -e neozeed
mkdir /home/neozeed
chown neozeed /home/neozeed/

Creating both a Linux user & directory, and the SAMBA credentials. On the terminal server, all that remains was assigning a local home directory & profile directories, as you really don’t want those over the WAN.

I have no idea if this is a warning to others, or whatever the larger issue is.

Porting Party II

At any rate I’ll be running another porting party this coming weekend. I can host cross compiling fine, but we need people with the 64bit Whistler beta installed to test. The best way to get details is over on discord. Lately the IRC bridge is down more than it’s up, and I can’t effectively send out passwords & get your network block to allow access to the RDP, since I’m not going to open up worldwide access to a Windows NT 4.0 SP5 machine.

Porting Party II

So for anyone interested in porting their C/C++ to either the 32bit Alpha Windows, or 64bit Alpha Windows come join us on discord!

I’ll fire up the Alpha on Friday afternoon GMT and expect the event to run all weekend!

7 thoughts on “Joining NT 4 to a SAMBA Domain Controller

  1. Yeah basically the primary design goal of Samba4 was support for 2k+ style AD domains. I don’t think it supports NT style domains at all anymore.
    Going back the other way, modern Linux hosts won’t mount shares from an NT4/Win2k box anymore either, although you can still access them manually using smbclient and the impacket tools.

    What did you guys manage to get built for AXP64? Anything available for download?

    Do you happen to know if there is a win2k rc version of the DDK with alpha/axp64 support? The publicly available version is 2k sp1 and has the alpha support mostly stripped out (eg its missing among other things), as i was trying to build some drivers.

  2. From the release notes of Samba 4.16.0:

    SMB1 protocol has been deprecated, particularly older dialects

    We take this opportunity to remind that we have deprecated and
    disabled by default, but not removed, the whole SMB1 protocol since
    Samba 4.11. If needed for security purposes or code maintenance we
    will continue to remove older protocol commands and dialects that are
    unused or have been replaced in more modern SMB1 versions.

    We specifically deprecate the older dialects older than “NT LM 0.12”
    (also known as “NT LANMAN 1.0” and “NT1”).

    Please note that “NT LM 0.12” is the dialect used by software as old
    as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
    to DOS and similar era clients.

    We do reassure that that ‘simple’ operation of older clients than
    these (eg DOS) will, while untested, continue for the near future, our
    purpose is not to cripple use of Samba in unique situations, but to
    reduce the maintaince burden.

    Eventually SMB1 as a whole will be removed, but no broader change is
    announced for 4.16.

    In the rare case where the above changes cause incompatibilities,
    users requiring support for these features will need to use older
    versions of Samba.

    • Well that explains it!

      Someone should poke someone who maintains/owns that the NT4 PDC stuff is depreciated.

      Thanks for the info!

      Oddly enough I did try v2 and it crashed and bombed right away. I’m just glad v3 worked with no issues.

      • I’m using Samba 4.x with 9x/NT4 clients on an isolated LAN. Since I’m the only one using those clients (PCs), I just disable authentication altogether and it does work. Unfortunately it looks it may not work anymore soon enough. Which is shame, because it’s really nice to be able to have one Linux SMB3 server VM listening on one network and another one listening on the isolated LAN both sharing a directory through virtio-fs. It’s a convenient way to move files to old PCs back and forth in a pretty secure way. Hopefully someone will add Windows Server 2003 support to virtio-fs drivers.

        • I was able to map drives but I wanted the Domain controller ability as I add users for the porting party I don’t want to deal with Linux and NT accounts all over the place. I did like that the Linux VM can have a registered IP so I don’t have to deal with VPNs or NAT. Since the compilers only run on 32bit Alpha NT, I sadly don’t have much choice

  3. Another solution to the NAT issue could be the microsoft research ipv6 stack for nt4/win2k, although there’s no precompiled version for alpha. I don’t seem to have a ddk for win2k and not sure if a version compiled with the nt4 ddk will work (it certainly wont support axp64 but it should work on alpha).

    • if all the vendors didn’t kill their 6to4 support ipv6 would work nicely too, but that is long dead. There is source for the NT 4 stack, although itd require porting, and I’m not all that sure about that! Just renting a registered ip address was much easier.

Leave a Reply