summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-02-27 21:03:02 +0000
committerGerald Carter <jerry@samba.org>2001-02-27 21:03:02 +0000
commit6ee504d0fc475e57b3465b1eb1ce17374f2865f1 (patch)
tree906077d46db78ac0a1bf85497d75e3f348c21c27
parent750a37026b1db8616ab0e4b0c1ae8c1b39897cdb (diff)
downloadsamba-6ee504d0fc475e57b3465b1eb1ce17374f2865f1.tar.gz
samba-6ee504d0fc475e57b3465b1eb1ce17374f2865f1.tar.bz2
samba-6ee504d0fc475e57b3465b1eb1ce17374f2865f1.zip
autogen
(This used to be commit c52c2fa14e0c7cc48c5072e106abf9b6dfb2479c)
-rw-r--r--docs/htmldocs/DOMAIN_MEMBER.html490
1 files changed, 363 insertions, 127 deletions
diff --git a/docs/htmldocs/DOMAIN_MEMBER.html b/docs/htmldocs/DOMAIN_MEMBER.html
index 847c6c5189..3830c3dac6 100644
--- a/docs/htmldocs/DOMAIN_MEMBER.html
+++ b/docs/htmldocs/DOMAIN_MEMBER.html
@@ -1,127 +1,363 @@
-
-
-
-
-
-
-<html><head><title>Joining an NT Domain with Samba 2.0</title>
-
-<link rev="made" href="mailto:samba@samba.org">
-</head>
-<body>
-
-<hr>
-
-<h1>Joining an NT Domain with Samba 2.0</h1>
-<h2>Jeremy Allison, Samba Team</h2>
-<h2>7th October 1999</h2>
-
-<h1>Table of Contents </h1><p></p>
-
-<p><hr><p><br>
-<p><center>Joining an NT Domain with Samba 2.0 </center>
-<center>----------------------------------- </center>
-<p>In order for a Samba-2 server to join an NT domain, you must first add
-the NetBIOS name of the Samba server to the NT domain on the PDC using
-Server Manager for Domains. This creates the machine account in the
-domain (PDC) SAM. Note that you should add the Samba server as a "Windows
-NT Workstation or Server", <em>NOT</em> as a Primary or backup domain controller.
-<p>Assume you have a Samba-2 server with a NetBIOS name of <code>SERV1</code> and are
-joining an NT domain called <code>DOM</code>, which has a PDC with a NetBIOS name
-of <code>DOMPDC</code> and two backup domain controllers with NetBIOS names <code>DOMBDC1</code>
-and <code>DOMBDC2</code>.
-<p>In order to join the domain, first stop all Samba daemons and run the
-command
-<p><code>smbpasswd -j DOM -r DOMPDC</code>
-<p>as we are joining the domain DOM and the PDC for that domain (the only
-machine that has write access to the domain SAM database) is DOMPDC. If this is
-successful you will see the message:
-<p><code>smbpasswd: Joined domain DOM.</code>
-<p>in your terminal window. See the <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a>
-man page for more details.
-<p>This command goes through the machine account password change
-protocol, then writes the new (random) machine account password for
-this Samba server into a file in the same directory in which an
-smbpasswd file would be stored - normally :
-<p><code>/usr/local/samba/private</code>
-<p>The filename looks like this:
-<p><code>&lt;NT DOMAIN NAME&gt;.&lt;Samba Server Name&gt;.mac</code>
-<p>The <code>.mac</code> suffix stands for machine account password file. So in
-our example above, the file would be called:
-<p><code>DOM.SERV1.mac</code>
-<p>This file is created and owned by root and is not readable by any
-other user. It is the key to the domain-level security for your
-system, and should be treated as carefully as a shadow password file.
-<p>Now, before restarting the Samba daemons you must edit your
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file to tell Samba it should now
-use domain security.
-<p>Change (or add) your
-<p><a href="smb.conf.5.html#security"><strong>"security ="</strong></a>
-<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section of your
-<a href="smb.conf.5.html"><strong>smb.conf</strong></a> to read:
-<p><code>security = domain</code>
-<p>Next change the
-<p><a href="smb.conf.5.html#workgroup"><strong>"workgroup ="</strong></a>
-<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read:
-<p><code>workgroup = DOM</code>
-<p>as this is the name of the domain we are joining.
-<p>You must also have the parameter <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypt passwords"</strong></a>
-set to <code>"yes"</code> in order for your users to authenticate to the
-NT PDC.
-<p>Finally, add (or modify) a:
-<p><a href="smb.conf.5.html#passwordserver"><strong>"password server ="</strong></a>
-<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read:
-<p><code>password server = DOMPDC DOMBDC1 DOMBDC2</code>
-<p>These are the primary and backup domain controllers Samba will attempt
-to contact in order to authenticate users. Samba will try to contact
-each of these servers in order, so you may want to rearrange this list
-in order to spread out the authentication load among domain
-controllers.
-<p>Alternatively, if you want smbd to automatically determine the
-list of Domain controllers to use for authentication, you may set this line to be :
-<p><code>password server = *</code>
-<p>This method, which is new in Samba 2.0.6 and above, allows Samba
-to use exactly the same mechanism that NT does. This method either broadcasts or
-uses a WINS database in order to find domain controllers to
-authenticate against.
-<p>Finally, restart your Samba daemons and get ready for clients to begin
-using domain security!
-<p><center>Why is this better than security = server? </center>
-<center>------------------------------------------ </center>
-<p>Currently, domain security in Samba doesn't free you from having to
-create local Unix users to represent the users attaching to your
-server. This means that if domain user <code>DOM\fred</code> attaches to your
-domain security Samba server, there needs to be a local Unix user fred
-to represent that user in the Unix filesystem. This is very similar to
-the older Samba security mode <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a>, where Samba would pass
-through the authentication request to a Windows NT server in the same
-way as a Windows 95 or Windows 98 server would.
-<p>The advantage to domain-level security is that the authentication in
-domain-level security is passed down the authenticated RPC channel in
-exactly the same way that an NT server would do it. This means Samba
-servers now participate in domain trust relationships in exactly the
-same way NT servers do (i.e., you can add Samba servers into a
-resource domain and have the authentication passed on from a resource
-domain PDC to an account domain PDC.
-<p>In addition, with <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> every Samba daemon on a
-server has to keep a connection open to the authenticating server for
-as long as that daemon lasts. This can drain the connection resources
-on a Microsoft NT server and cause it to run out of available
-connections. With <a href="smb.conf.5.html#securityequaldomain"><strong>"security =domain"</strong></a>, however, the Samba
-daemons connect to the PDC/BDC only for as long as is necessary to
-authenticate the user, and then drop the connection, thus conserving
-PDC connection resources.
-<p>And finally, acting in the same manner as an NT server authenticating
-to a PDC means that as part of the authentication reply, the Samba
-server gets the user identification information such as the user SID,
-the list of NT groups the user belongs to, etc. All this information
-will allow Samba to be extended in the future into a mode the
-developers currently call appliance mode. In this mode, no local Unix
-users will be necessary, and Samba will generate Unix uids and gids
-from the information passed back from the PDC when a user is
-authenticated, making a Samba server truly plug and play in an NT
-domain environment. Watch for this code soon.
-<p><em>NOTE:</em> Much of the text of this document was first published in the
-Web magazine <a href="http://www.linuxworld.com"><strong>"LinuxWorld"</strong></a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"><strong>"Doing the NIS/NT Samba"</strong></a>.
-</body>
-</html>
+<HTML
+><HEAD
+><TITLE
+></TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD
+><BODY
+CLASS="BOOK"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="BOOK"
+><A
+NAME="AEN1"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H3
+CLASS="AUTHOR"
+><A
+NAME="AEN3"
+>Jeremy Allison</A
+></H3
+><HR></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+><A
+HREF="#AEN7"
+></A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="#AEN8"
+>Joining an NT Domain with Samba 2.2</A
+></DT
+><DT
+><A
+HREF="#AEN71"
+>Why is this better than security = server?</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+><DIV
+CLASS="ARTICLE"
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN8"
+>Joining an NT Domain with Samba 2.2</A
+></H1
+><P
+>In order for a Samba-2 server to join an NT domain,
+ you must first add the NetBIOS name of the Samba server to the
+ NT domain on the PDC using Server Manager for Domains. This creates
+ the machine account in the domain (PDC) SAM. Note that you should
+ add the Samba server as a "Windows NT Workstation or Server",
+ <I
+CLASS="EMPHASIS"
+>NOT</I
+> as a Primary or backup domain controller.</P
+><P
+>Assume you have a Samba-2 server with a NetBIOS name of
+ <TT
+CLASS="CONSTANT"
+>SERV1</TT
+> and are joining an NT domain called
+ <TT
+CLASS="CONSTANT"
+>DOM</TT
+>, which has a PDC with a NetBIOS name
+ of <TT
+CLASS="CONSTANT"
+>DOMPDC</TT
+> and two backup domain controllers
+ with NetBIOS names <TT
+CLASS="CONSTANT"
+>DOMBDC1</TT
+> and <TT
+CLASS="CONSTANT"
+>DOMBDC2
+ </TT
+>.</P
+><P
+>In order to join the domain, first stop all Samba daemons
+ and run the command:</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbpasswd -j DOM -r DOMPDC
+ </B
+></TT
+></P
+><P
+>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. If this is successful you will see the message:</P
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>smbpasswd: Joined domain DOM.</TT
+>
+ </P
+><P
+>in your terminal window. See the <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+> smbpasswd(8)</A
+> man page for more details.</P
+><P
+>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</P
+><P
+><TT
+CLASS="FILENAME"
+>/usr/local/samba/private</TT
+></P
+><P
+>In Samba 2.0.x, the filename looks like this:</P
+><P
+><TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>&lt;NT DOMAIN NAME&gt;</I
+></TT
+>.
+ <TT
+CLASS="REPLACEABLE"
+><I
+>&lt;Samba Server Name&gt;</I
+></TT
+>.mac</TT
+></P
+><P
+>The <TT
+CLASS="FILENAME"
+>.mac</TT
+> suffix stands for machine account
+ password file. So in our example above, the file would be called:</P
+><P
+><TT
+CLASS="FILENAME"
+>DOM.SERV1.mac</TT
+></P
+><P
+>In Samba 2.2, this file has been replaced with a TDB
+ (Trivial Database) file named <TT
+CLASS="FILENAME"
+>secrets.tdb</TT
+>.
+ </P
+><P
+>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</P
+><P
+>Now, before restarting the Samba daemons you must
+ edit your <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smb.conf(5)</TT
+>
+ </A
+> file to tell Samba it should now use domain security.</P
+><P
+>Change (or add) your <A
+HREF="smb.conf.5.html#SECURITY"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>security =</I
+></TT
+></A
+> line in the [global] section
+ of your smb.conf to read:</P
+><P
+><B
+CLASS="COMMAND"
+>security = domain</B
+></P
+><P
+>Next change the <A
+HREF="smb.conf.5.html#WORKGROUP"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+> workgroup =</I
+></TT
+></A
+> line in the [global] section to read: </P
+><P
+><B
+CLASS="COMMAND"
+>workgroup = DOM</B
+></P
+><P
+>as this is the name of the domain we are joining. </P
+><P
+>You must also have the parameter <A
+HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords</I
+></TT
+></A
+> set to <TT
+CLASS="CONSTANT"
+>yes
+ </TT
+> in order for your users to authenticate to the NT PDC.</P
+><P
+>Finally, add (or modify) a <A
+HREF="smb.conf.5.html#PASSWORDSERVER"
+TARGET="_top"
+> <TT
+CLASS="PARAMETER"
+><I
+>password server =</I
+></TT
+></A
+> line in the [global]
+ section to read: </P
+><P
+><B
+CLASS="COMMAND"
+>password server = DOMPDC DOMBDC1 DOMBDC2</B
+></P
+><P
+>These are the primary and backup domain controllers Samba
+ will attempt to contact in order to authenticate users. Samba will
+ try to contact each of these servers in order, so you may want to
+ rearrange this list in order to spread out the authentication load
+ among domain controllers.</P
+><P
+>Alternatively, if you want smbd to automatically determine
+ the list of Domain controllers to use for authentication, you may
+ set this line to be :</P
+><P
+><B
+CLASS="COMMAND"
+>password server = *</B
+></P
+><P
+>This method, which was introduced in Samba 2.0.6,
+ allows Samba to use exactly the same mechanism that NT does. This
+ method either broadcasts or uses a WINS database in order to
+ find domain controllers to authenticate against.</P
+><P
+>Finally, restart your Samba daemons and get ready for
+ clients to begin using domain security!</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H1
+CLASS="SECT1"
+><A
+NAME="AEN71"
+>Why is this better than security = server?</A
+></H1
+><P
+>Currently, domain security in Samba doesn't free you from
+ having to create local Unix users to represent the users attaching
+ to your server. This means that if domain user <TT
+CLASS="CONSTANT"
+>DOM\fred
+ </TT
+> attaches to your domain security Samba server, there needs
+ to be a local Unix user fred to represent that user in the Unix
+ filesystem. This is very similar to the older Samba security mode
+ <A
+HREF="smb.conf.5.html#SECURITYEQUALSERVER"
+TARGET="_top"
+>security = server</A
+>,
+ where Samba would pass through the authentication request to a Windows
+ NT server in the same way as a Windows 95 or Windows 98 server would.
+ </P
+><P
+>The advantage to domain-level security is that the
+ authentication in domain-level security is passed down the authenticated
+ RPC channel in exactly the same way that an NT server would do it. This
+ means Samba servers now participate in domain trust relationships in
+ exactly the same way NT servers do (i.e., you can add Samba servers into
+ a resource domain and have the authentication passed on from a resource
+ domain PDC to an account domain PDC.</P
+><P
+>In addition, with <B
+CLASS="COMMAND"
+>security = server</B
+> every Samba
+ daemon on a server has to keep a connection open to the
+ authenticating server for as long as that daemon lasts. This can drain
+ the connection resources on a Microsoft NT server and cause it to run
+ out of available connections. With <B
+CLASS="COMMAND"
+>security = domain</B
+>,
+ however, the Samba daemons connect to the PDC/BDC only for as long
+ as is necessary to authenticate the user, and then drop the connection,
+ thus conserving PDC connection resources.</P
+><P
+>And finally, acting in the same manner as an NT server
+ authenticating to a PDC means that as part of the authentication
+ reply, the Samba server gets the user identification information such
+ as the user SID, the list of NT groups the user belongs to, etc. All
+ this information will allow Samba to be extended in the future into
+ a mode the developers currently call appliance mode. In this mode,
+ no local Unix users will be necessary, and Samba will generate Unix
+ uids and gids from the information passed back from the PDC when a
+ user is authenticated, making a Samba server truly plug and play
+ in an NT domain environment. Watch for this code soon.</P
+><P
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+> Much of the text of this document
+ was first published in the Web magazine <A
+HREF="http://www.linuxworld.com"
+TARGET="_top"
+>
+ LinuxWorld</A
+> as the article <A
+HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
+TARGET="_top"
+>Doing
+ the NIS/NT Samba</A
+>.</P
+></DIV
+></DIV
+></DIV
+></BODY
+></HTML
+> \ No newline at end of file