summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2003-05-06 06:02:54 +0000
committerJohn Terpstra <jht@samba.org>2003-05-06 06:02:54 +0000
commit2b8d15bea3b8cdce70d9286fe6f6ad269f08f810 (patch)
treee15c781a188569dc384ad0dd2db11e4bfcf66e9e
parent5300e942668222ee8fb7b5a33e94f86ba3e0ca04 (diff)
downloadsamba-2b8d15bea3b8cdce70d9286fe6f6ad269f08f810.tar.gz
samba-2b8d15bea3b8cdce70d9286fe6f6ad269f08f810.tar.bz2
samba-2b8d15bea3b8cdce70d9286fe6f6ad269f08f810.zip
A few more little fixes, a few more edits, a bit lost here, and a lot gained there! :)
This documentation process is tedious, but noone will notice it anyhow! :) (This used to be commit b8666c39493383566b3f108dfdf0328e7a5a92a9)
-rw-r--r--docs/docbook/projdoc/DOMAIN_MEMBER.xml222
-rw-r--r--docs/docbook/projdoc/Samba-PDC-HOWTO.xml480
-rw-r--r--docs/docbook/projdoc/ServerType.xml25
-rw-r--r--docs/docbook/projdoc/samba-doc.xml2
4 files changed, 434 insertions, 295 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
index 6a3ef28b55..f12936a215 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
@@ -179,7 +179,227 @@ LinuxWorld</ulink> as the article <ulink
url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing
the NIS/NT Samba</ulink>.</para></note>
</sect2>
+</sect1>
+
+<sect1>
+<title>Machine Trust Accounts and Domain Membership</title>
+
+<para>
+A machine trust account is an account that is used to authenticate a client machine
+(rather than a user) to the Domain Controller server. In Windows terminology,
+this is known as a "Computer Account."</para>
+
+<para>
+The password of a machine trust account acts as the shared secret for
+secure communication with the Domain Controller. This is a security
+feature to prevent an unauthorized machine with the same NetBIOS name
+from joining the domain and gaining access to domain user/group
+accounts. Windows NT, 200x, XP Professional clients use machine trust
+accounts, but Windows 9x / Me / XP Home clients do not. Hence, a
+Windows 9x / Me / XP Home client is never a true member of a domain
+because it does not possess a machine trust account, and thus has no
+shared secret with the domain controller.
+</para>
+
+<para>A Windows NT4 PDC stores each machine trust account in the Windows
+Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory,
+the new repository for machine trust accounts.
+</para>
+
+<para>
+A Samba PDC, however, stores each machine trust account in two parts,
+as follows:
+
+<itemizedlist>
+ <listitem><para>A Samba account, stored in the same location as user
+ LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
+ The Samba account possesses and uses only the NT password hash.</para></listitem>
+
+ <listitem><para>A corresponding Unix account, typically stored in
+ <filename>/etc/passwd</filename>. (Future releases will alleviate the need to
+ create <filename>/etc/passwd</filename> entries.) </para></listitem>
+</itemizedlist>
+</para>
+
+<para>
+There are two ways to create machine trust accounts:
+</para>
+
+<itemizedlist>
+ <listitem><para> Manual creation. Both the Samba and corresponding
+ Unix account are created by hand.</para></listitem>
+
+ <listitem><para> "On-the-fly" creation. The Samba machine trust
+ account is automatically created by Samba at the time the client
+ is joined to the domain. (For security, this is the
+ recommended method.) The corresponding Unix account may be
+ created automatically or manually. </para>
+ </listitem>
+
+</itemizedlist>
+
+<sect2>
+<title>Manual Creation of Machine Trust Accounts</title>
+
+<para>
+The first step in manually creating a machine trust account is to
+manually create the corresponding Unix account in
+<filename>/etc/passwd</filename>. This can be done using
+<command>vipw</command> or other 'add user' command that is normally
+used to create new Unix accounts. The following is an example for a
+Linux based Samba server:
+</para>
+
+<para>
+ <prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine
+nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command>
+</para>
+<para>
+<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command>
+</para>
+
+<para>On *BSD systems, this can be done using the 'chpass' utility:</para>
+
+<para>
+<prompt>root# </prompt><command>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</command>
+</para>
+
+<para>
+The <filename>/etc/passwd</filename> entry will list the machine name
+with a "$" appended, won't have a password, will have a null shell and no
+home directory. For example a machine named 'doppy' would have an
+<filename>/etc/passwd</filename> entry like this:
+</para>
+
+<para><programlisting>
+doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false
+</programlisting></para>
+
+<para>
+Above, <replaceable>machine_nickname</replaceable> can be any
+descriptive name for the client, i.e., BasementComputer.
+<replaceable>machine_name</replaceable> absolutely must be the NetBIOS
+name of the client to be joined to the domain. The "$" must be
+appended to the NetBIOS name of the client or Samba will not recognize
+this as a machine trust account.
+</para>
+
+<para>
+Now that the corresponding Unix account has been created, the next step is to create
+the Samba account for the client containing the well-known initial
+machine trust account password. This can be done using the <ulink
+url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> command
+as shown here:
+</para>
+
+<para>
+<prompt>root# </prompt><userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
+</para>
+<para>
+where <replaceable>machine_name</replaceable> is the machine's NetBIOS
+name. The RID of the new machine account is generated from the UID of
+the corresponding Unix account.
+</para>
+
+<warning>
+ <title>Join the client to the domain immediately</title>
+
+ <para>
+ Manually creating a machine trust account using this method is the
+ equivalent of creating a machine trust account on a Windows NT PDC using
+ the "Server Manager". From the time at which the account is created
+ to the time which the client joins the domain and changes the password,
+ your domain is vulnerable to an intruder joining your domain using
+ a machine with the same NetBIOS name. A PDC inherently trusts
+ members of the domain and will serve out a large degree of user
+ information to such clients. You have been warned!
+ </para>
+</warning>
+</sect2>
+
+
+<sect2>
+<title>"On-the-Fly" Creation of Machine Trust Accounts</title>
+
+<para>
+The second (and recommended) way of creating machine trust accounts is
+simply to allow the Samba server to create them as needed when the client
+is joined to the domain. </para>
+
+<para>Since each Samba machine trust account requires a corresponding
+Unix account, a method for automatically creating the
+Unix account is usually supplied; this requires configuration of the
+<ulink url="smb.conf.5.html#ADDMACHINESCRIPT">add machine script</ulink>
+option in <filename>smb.conf</filename>. This
+method is not required, however; corresponding Unix accounts may also
+be created manually.
+</para>
+
+
+<para>
+Below is an example for a RedHat Linux system.
+</para>
+
+<para><programlisting>
+[global]
+ # &lt;...remainder of parameters...&gt;
+ add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
+</programlisting></para>
+
+</sect2>
+
+
+<sect2><title>Joining the Client to the Domain</title>
+
+<para>
+The procedure for joining a client to the domain varies with the version of Windows.
+</para>
+
+<itemizedlist>
+<listitem><para><emphasis>Windows 2000</emphasis></para>
+
+ <para>
+ When the user elects to join the client to a domain, Windows prompts for
+ an account and password that is privileged to join the domain. A Samba administrative
+ account (i.e., a Samba account that has root privileges on the Samba server) must be
+ entered here; the operation will fail if an ordinary user account is given.
+ The password for this account should be set to a different password than the associated
+ <filename>/etc/passwd</filename> entry, for security reasons.
+ </para>
+
+ <para>
+ The session key of the Samba administrative account acts as an
+ encryption key for setting the password of the machine trust
+ account. The machine trust account will be created on-the-fly, or
+ updated if it already exists.
+ </para>
+
+</listitem>
+
+<listitem><para><emphasis>Windows NT</emphasis></para>
+
+ <para> If the machine trust account was created manually, on the
+ Identification Changes menu enter the domain name, but do not
+ check the box "Create a Computer Account in the Domain." In this case,
+ the existing machine trust account is used to join the machine to
+ the domain.</para>
+
+ <para> If the machine trust account is to be created
+ on-the-fly, on the Identification Changes menu enter the domain
+ name, and check the box "Create a Computer Account in the Domain." In
+ this case, joining the domain proceeds as above for Windows 2000
+ (i.e., you must supply a Samba administrative account when
+ prompted).</para>
+</listitem>
+
+<listitem><para><emphasis>Samba</emphasis></para>
+ <para>Joining a samba client to a domain is documented in
+ the <link linkend="domain-member">Domain Member</link> chapter.
+</para></listitem>
+</itemizedlist>
+
+</sect2>
</sect1>
<sect1>
@@ -196,7 +416,7 @@ Windows2000 KDC.
<para>You must use at least the following 3 options in smb.conf:</para>
<para><programlisting>
- realm = YOUR.KERBEROS.REALM
+ realm = your.kerberos.REALM
security = ADS
encrypt passwords = yes
</programlisting></para>
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml
index d00e7243ad..7ec687e740 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml
@@ -17,14 +17,14 @@
<formalpara><title><emphasis>The Essence of Learning:</emphasis></title>
<para>
There are many who approach MS Windows networking with incredible misconceptions.
-That's OK, because it give the rest of us plenty of opportunity to help someone.
-Those who really want help would be well advised to be informed of information that
-is in fact already available.
+That's OK, because it give the rest of us plenty of opportunity to be of assistance.
+Those who really want help would be well advised to become familiar with information
+that is already available.
</para>
</formalpara>
<para>
-The reader is well advised NOT to tackle this section without having first understood
+The reader is advised NOT to tackle this section without having first understood
and mastered some basics. MS Windows networking is not particularly forgiving of
misconfiguration. Users of MS Windows networking are likely to complain bitterly
of persistent niggles that may be caused by broken network or system configuration.
@@ -50,9 +50,9 @@ networking problems:
</itemizedlist>
<para>
-Do not be put off too much, on the surface of it MS Windows networking seems so simple
-that any fool can do it. In fact, only a fool would set up an MS Windows network with
-inadequate training and preparation. So let's get our first indelible principle out of the
+Do not be put off, on the surface of it MS Windows networking seems so simple that any fool
+can do it. In fact, it is not a good idea to set up an MS Windows network with
+inadequate training and preparation. But let's get our first indelible principle out of the
way: <emphasis>It is perfectly OK to make mistakes!</emphasis> In the right place and at
the right time, mistakes are the essence of learning. It is <emphasis>very much</emphasis>
not Ok to make mistakes that cause loss of productivity and impose an avoidable financial
@@ -83,14 +83,14 @@ The following functionalities are new to the Samba-3 release:
</para></listitem>
<listitem><para>
- Samba-3 introduces replaceable and multiple user account (authentication)
+ Introduces replaceable and multiple user account (authentication)
back ends. In the case where the back end is placed in an LDAP database
Samba-3 confers the benefits of a back end that can be distributed, replicated,
and highly scalable.
</para></listitem>
<listitem><para>
- Samba-3 implements full Unicode support. This simplifies cross locale internationalisation
+ Implements full Unicode support. This simplifies cross locale internationalisation
support. It also opens up the use of protocols that samba-2.2.x had but could not use due
to the need to fully support Unicode.
</para></listitem>
@@ -117,26 +117,23 @@ The following functionalities are NOT provided by Samba-3:
</itemizedlist>
<para>
-Please note that Windows 9x / Me / XP Home clients are not true members of a domain
-for reasons outlined in this article. Therefore the protocol for support of Windows
-9x / Me style domain logons is completely different from NT4 / Win2k type domain logons
-nd has been officially supported for some time.
+Windows 9x / Me / XP Home clients are not true members of a domain for reasons outlined
+in this chapter. The protocol for support of Windows 9x / Me style network (domain) logons
+is completely different from NT4 / Win2k type domain logons and has been officially supported
+for some time. These clients use the old LanMan Network Logon facilities that are supported
+in Samba since approximately the samba-1.9.15 series.
</para>
-<para><emphasis>
-MS Windows XP Home edition is NOT able to join a domain and does not permit
-the use of domain logons.
-</emphasis></para>
-
<para>
-Samba-3 offers a complete implementation of group mapping between Windows NT groups
-and Unix groups (this is really quite complicated to explain in a short space).
+Samba-3 has an implementation of group mapping between Windows NT groups
+and Unix groups (this is really quite complicated to explain in a short space) this is
+discussed more fully in a chapter dedicated to this topic..
</para>
<para>
-A Samba-3 PDC also has to store machine trust account information
-in a suitable backend data store. With Samba-3 there can be multiple back-ends
-for this including:
+A Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
+user and machine trust account information in a suitable backend data store. With Samba-3
+there can be multiple back-ends for this including:
</para>
<itemizedlist>
@@ -153,24 +150,40 @@ for this including:
stored in the <emphasis>private</emphasis> directory in a file called
<emphasis>passwd.tdb</emphasis>. The key benefit of this binary format
file is that it can store binary objects that can not be accomodated
- in the traditional plain text smbpasswd file.
+ in the traditional plain text smbpasswd file. These permit the extended
+ account controls that MS Windows NT4 and later also have.
</para></listitem>
<listitem><para>
<emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the
- LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com
+ LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com.
+ Like the tdbsam, ldapsam permits the storing of extended account attributes
+ for control of things like: Permitted access times, password activation and
+ expiry, permitted points of access (workstation names), per user profile
+ location, and much more.
+ </para></listitem>
+
+ <listitem><para>
+ <emphasis>ldapsam_compat</emphasis> - An LDAP back-end that maintains backwards
+ compatibility with the behaviour of samba-2.2.x. You should use this in the process
+ of mirgrating from samba-2.2.x to samba-3 if you do not want to rebuild your LDAP
+ database.
</para></listitem>
</itemizedlist>
<para>
-Read the chapter about the <link linkend="passdb">User Database</link> for details.
+Read the chapter about the <link linkend="passdb">User Database</link> for details
+regarding the choices available and how to configure them.
</para>
<note><para>
-The new tdbsam and ldapsam account backends store vastly more information than
+The new tdbsam and ldapsam account backends store substantially more information than
smbpasswd is capable of. The new backend database includes capacity to specify
per user settings for many parameters, over-riding global settings given in the
<filename>smb.conf</filename> file. eg: logon drive, logon home, logon path, etc.
+Thus, with samba-3 it is possible to have a default system configuration for profiles,
+and on a per user basis to over-ride this for those users who should not be subject
+to the default configuration.
</para></note>
</sect1>
@@ -196,11 +209,11 @@ there are three basic types of domain controllers:
<para>
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS
Windows NT4 and Windows 200x Domain Control architecture, but not in the manner that so many
-expect. There is a form of folk lore that dictates that because of it's role in the MS Windows
+expect. There is folk lore that dictates that because of it's role in the MS Windows
network that the PDC should be the most powerful and most capable machine in the network.
-As corny as it may seem to say this here, where good over all network performance is desired
-the entire infrastructure needs to be balanced. It may be more advisable to invest more in
-the Backup Domain Controllers and Stand-Alone (or Domain Member) servers than in the PDC.
+As strange as it may seem to say this here, good over all network performance dictates that
+the entire infrastructure needs to be balanced. It is advisable to invest more in the Backup
+Domain Controllers and Stand-Alone (or Domain Member) servers than in the PDC.
</para>
<para>
@@ -211,6 +224,14 @@ database with Backup Domain Controllers.
</para>
<para>
+With MS Windows 200x Server based Active Directory domains, one domain controller seeds a potential
+hierachy of domain controllers, each with their own area of delegated control. The master domain
+controller has the ability to override any down-stream controller, but a down-line controller has
+control only over it's down-line. With Samba-3 this functionality can be implemented using an
+LDAP based user and machine account back end.
+</para>
+
+<para>
New to Samba-3 is the ability to use a back-end database that holds the same type of data as
the NT4 style SAM (Security Account Manager) database (one of the registry files).
The samba-3 SAM can be specified via the smb.conf file parameter
@@ -238,7 +259,8 @@ reinstall it. The install time choices offered are:
<itemizedlist>
<listitem><para>Primary Domain Controller - The one that seeds the domain SAM</para></listitem>
<listitem><para>Backup Domain Controller - One that obtains a copy of the domain SAM</para></listitem>
- <listitem><para>Stand-Alone Server - One that plays NO part is SAM synchronisation</para></listitem>
+ <listitem><para>Domain Controller - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
+ <listitem><para>Stand-Alone Server - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</para></listitem>
</itemizedlist>
<para>
@@ -266,53 +288,79 @@ be revised to duely reflect all configuration and management requirements.
<title>Preparing for Domain Control</title>
<para>
-The following outlines the steps necessary for configuring Samba-3 as an MS Windows NT4 style PDC.
-It is necessary to have a working Samba server prior to implementing the PDC functionality.
+The following are necessary for configuring Samba-3 as an MS Windows NT4 style PDC for MS Windows
+NT4 / 200x / XP clients.
</para>
-<itemizedlist>
+<orderedlist numeration="arabic">
<listitem><para>
- Domain logons for Windows NT 4.0 / 200x / XP Professional clients.
+ Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
-
+
<listitem><para>
- Placing Windows 9x / Me clients in user level security
+ Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
-
+
<listitem><para>
- Retrieving a list of users and groups from a Samba PDC to Windows 9x / Me / NT / 200x / XP
- Professional clients
+ Consistent configuration of Name Resolution (See chapter on Browsing and on
+ MS Windows network Integration)
+ </para></listitem>
+
+ <listitem><para>
+ Domain logons for Windows NT4 / 200x / XP Professional clients
</para></listitem>
<listitem><para>
- Roaming Profiles
+ Configuration of Roaming Profiles or explicit configuration to force local profile usage
</para></listitem>
<listitem><para>
- Network/System Policies
+ Configuration of Network/System Policies
</para></listitem>
-</itemizedlist>
-<note><para>
-Roaming Profiles and System/Network policies are advanced network administration topics
-that are covered separately in this document.
-</para></note>
+ <listitem><para>
+ Adding and managing domain user accounts
+ </para></listitem>
+
+ <listitem><para>
+ Configuring MS Windows client machines to become domain members
+ </para></listitem>
+</orderedlist>
<para>
-Implementing a Samba PDC can basically be divided into 4 broad steps.
+The following provisions are required to serve MS Windows 9x / Me Clients:
</para>
-<orderedlist numeration="arabic">
+<orderedlist>
<listitem><para>
- Configuration of basic MS Windows Networking
+ Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
<listitem><para>
- Configuring the Samba PDC
+ Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
-
+
<listitem><para>
- Creating machine trust accounts and joining machines to the domain
+ Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
+ members, they do not really particpate in the security aspects of Domain logons as such)
+ </para></listitem>
+
+ <listitem><para>
+ Roaming Profile Configuration
+ </para></listitem>
+
+ <listitem><para>
+ Configuration of System Policy handling
+ </para></listitem>
+
+ <listitem><para>
+ Installation of the Network driver "Client for MS Windows Networks" and configuration
+ to log onto the domain
+ </para></listitem>
+
+ <listitem><para>
+ Placing Windows 9x / Me clients in user level security - if it is desired to allow
+ all client share access to be controlled according to domain user / group identities.
</para></listitem>
<listitem><para>
@@ -320,9 +368,44 @@ Implementing a Samba PDC can basically be divided into 4 broad steps.
</para></listitem>
</orderedlist>
+<note><para>
+Roaming Profiles and System/Network policies are advanced network administration topics
+that are covered separately in this document. However, these are not necessarily specific
+to a Samba PDC as much as they are related to Windows NT networking concepts.
+</para></note>
+
<para>
-There are other details such as user profiles, system policies, etc. However, these are not
-necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.
+A Domain Controller is an SMB/CIFS server that:
+</para>
+
+<itemizedlist>
+ <listitem><para>
+ Advertises and registers itself as a Domain Controller (Through NetBIOS broadcasts
+ as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
+ to a WINS server over UDP unicast, or via DNS and Active Directory)
+ </para></listitem>
+
+ <listitem><para>
+ Provides the NETLOGON service (actually a collection of services that runs over
+ a number of protocols. These include the LanMan Logon service, the Netlogon service,
+ the Local Security Account service, and variations of them)
+ </para></listitem>
+
+ <listitem><para>
+ Provides a share called NETLOGON
+ </para></listitem>
+</itemizedlist>
+
+<para>
+For samba to provide these is rather easy to configure. Each Samba Domain Controller must provide
+the NETLOGON service which samba calls the <emphasis>domain logons</emphasis> functionality
+(after the name of the parameter in the &smb.conf; file). Additionally, one (1) server in a Samba-3
+Domain must advertise itself as the domain master browser. This causes the Primary Domain Controller
+to claim domain specific NetBIOS name that identifies it as a domain master browser for its given
+domain/workgroup. Local master browsers in the same domain/workgroup on broadcast-isolated subnets
+then ask for a complete copy of the browse list for the whole wide area network. Browser clients
+will then contact their local master browser, and will receive the domain-wide browse list,
+instead of just the list for their broadcast-isolated subnet.
</para>
</sect2>
@@ -371,7 +454,7 @@ Here is an example &smb.conf; for acting as a PDC:
; where is a user's home directory and where should it be mounted at?
<ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H:
- <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u
+ <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u\winprofile
; specify a generic logon script for all users
; this is a relative **DOS** path to the [netlogon] share
@@ -398,6 +481,7 @@ of operation. The following parameters are the essentials alone:
<programlisting>
workgroup = NARNIA
domain logons = Yes
+ domain master = Yes
security = User
</programlisting>
@@ -428,239 +512,63 @@ There are a couple of points to emphasize in the above configuration.
</para></listitem>
</itemizedlist>
-<sect2>
-<title>Machine Trust Accounts and Domain Membership</title>
-
-<para>
-A machine trust account is an account that is used to authenticate a client machine
-(rather than a user) to the Domain Controller server. In Windows terminology,
-this is known as a "Computer Account."</para>
-
-<para>
-The password of a machine trust account acts as the shared secret for
-secure communication with the Domain Controller. This is a security
-feature to prevent an unauthorized machine with the same NetBIOS name
-from joining the domain and gaining access to domain user/group
-accounts. Windows NT, 200x, XP Professional clients use machine trust
-accounts, but Windows 9x / Me / XP Home clients do not. Hence, a
-Windows 9x / Me / XP Home client is never a true member of a domain
-because it does not possess a machine trust account, and thus has no
-shared secret with the domain controller.
-</para>
-
-<para>A Windows NT4 PDC stores each machine trust account in the Windows
-Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory,
-the new repository for machine trust accounts.
-</para>
-
-<para>
-A Samba PDC, however, stores each machine trust account in two parts,
-as follows:
-
-<itemizedlist>
- <listitem><para>A Samba account, stored in the same location as user
- LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
- The Samba account possesses and uses only the NT password hash.</para></listitem>
-
- <listitem><para>A corresponding Unix account, typically stored in
- <filename>/etc/passwd</filename>. (Future releases will alleviate the need to
- create <filename>/etc/passwd</filename> entries.) </para></listitem>
-</itemizedlist>
-</para>
-
-<para>
-There are two ways to create machine trust accounts:
-</para>
-
-<itemizedlist>
- <listitem><para> Manual creation. Both the Samba and corresponding
- Unix account are created by hand.</para></listitem>
-
- <listitem><para> "On-the-fly" creation. The Samba machine trust
- account is automatically created by Samba at the time the client
- is joined to the domain. (For security, this is the
- recommended method.) The corresponding Unix account may be
- created automatically or manually. </para>
- </listitem>
-
-</itemizedlist>
+</sect1>
-<sect3>
-<title>Manual Creation of Machine Trust Accounts</title>
+<sect1>
+<title>Samba ADS Domain Control</title>
<para>
-The first step in manually creating a machine trust account is to
-manually create the corresponding Unix account in
-<filename>/etc/passwd</filename>. This can be done using
-<command>vipw</command> or other 'add user' command that is normally
-used to create new Unix accounts. The following is an example for a
-Linux based Samba server:
+Samba-3 can behave and appear to MS Windows 200x and XP clients as an Active Directory Server.
+To do this, Configure samba as a Primary Domain Controller, use LDAP as the passdb backend,
+and configure Kerberos5. The problem with doing this is that samba-3 is NOT, despite this
+configuration, and Active Directory server and does NOT yet fully support all protocols needed
+to make this a possibility.
</para>
<para>
- <prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine
-nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command>
-</para>
-<para>
-<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command>
+The best advice we can give at this time is - DO NOT DO THIS yet as it is NOT ready for
+production deployment.
</para>
-<para>On *BSD systems, this can be done using the 'chpass' utility:</para>
+</sect1>
-<para>
-<prompt>root# </prompt><command>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</command>
-</para>
+<sect1>
+<title>Domain and Network Logon Configuration</title>
<para>
-The <filename>/etc/passwd</filename> entry will list the machine name
-with a "$" appended, won't have a password, will have a null shell and no
-home directory. For example a machine named 'doppy' would have an
-<filename>/etc/passwd</filename> entry like this:
+The subject of Network or Domain Logons is discussed here because it rightly forms
+an integral part of the essential functionality that is provided by a Domain Controller.
</para>
-<para><programlisting>
-doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false
-</programlisting></para>
+<sect2>
+<title>Domain Network Logon Service</title>
<para>
-Above, <replaceable>machine_nickname</replaceable> can be any
-descriptive name for the client, i.e., BasementComputer.
-<replaceable>machine_name</replaceable> absolutely must be the NetBIOS
-name of the client to be joined to the domain. The "$" must be
-appended to the NetBIOS name of the client or Samba will not recognize
-this as a machine trust account.
+All Domain Controllers must run the netlogon service (<emphasis>domain logons</emphasis>
+in Samba. One Domain Controller must be configured with <emphasis>domain master = Yes</emphasis>
+(the Primary Domain Controller), on ALL Backup Domain Controllers <emphasis>domain master = No</emphasis>
+must be set.
</para>
-<para>
-Now that the corresponding Unix account has been created, the next step is to create
-the Samba account for the client containing the well-known initial
-machine trust account password. This can be done using the <ulink
-url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> command
-as shown here:
-</para>
+<title>Example Configuration</title>
+<programlisting>
+<title> A minimal configuration to support Domain Logons</title>
<para>
-<prompt>root# </prompt><userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
-</para>
+ [globals]
+ domain logons = Yes
+ domain master = (Yes on PDC, No on BDCs)
-<para>
-where <replaceable>machine_name</replaceable> is the machine's NetBIOS
-name. The RID of the new machine account is generated from the UID of
-the corresponding Unix account.
+ [netlogon]
+ comment = Network Logon Service
+ path = /var/lib/samba/netlogon
+ guest ok = Yes
+ browseable = No
</para>
-
-<warning>
- <title>Join the client to the domain immediately</title>
-
- <para>
- Manually creating a machine trust account using this method is the
- equivalent of creating a machine trust account on a Windows NT PDC using
- the "Server Manager". From the time at which the account is created
- to the time which the client joins the domain and changes the password,
- your domain is vulnerable to an intruder joining your domain using
- a machine with the same NetBIOS name. A PDC inherently trusts
- members of the domain and will serve out a large degree of user
- information to such clients. You have been warned!
- </para>
-</warning>
-</sect3>
-
+</programlisting>
<sect3>
-<title>"On-the-Fly" Creation of Machine Trust Accounts</title>
-
-<para>
-The second (and recommended) way of creating machine trust accounts is
-simply to allow the Samba server to create them as needed when the client
-is joined to the domain. </para>
-
-<para>Since each Samba machine trust account requires a corresponding
-Unix account, a method for automatically creating the
-Unix account is usually supplied; this requires configuration of the
-<ulink url="smb.conf.5.html#ADDMACHINESCRIPT">add machine script</ulink>
-option in <filename>smb.conf</filename>. This
-method is not required, however; corresponding Unix accounts may also
-be created manually.
-</para>
-
-
-<para>
-Below is an example for a RedHat Linux system.
-</para>
-
-<para><programlisting>
-[global]
- # &lt;...remainder of parameters...&gt;
- add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
-</programlisting></para>
-
-</sect3>
-
-
-<sect3><title>Joining the Client to the Domain</title>
-
-<para>
-The procedure for joining a client to the domain varies with the version of Windows.
-</para>
-
-<itemizedlist>
-<listitem><para><emphasis>Windows 2000</emphasis></para>
-
- <para>
- When the user elects to join the client to a domain, Windows prompts for
- an account and password that is privileged to join the domain. A Samba administrative
- account (i.e., a Samba account that has root privileges on the Samba server) must be
- entered here; the operation will fail if an ordinary user account is given.
- The password for this account should be set to a different password than the associated
- <filename>/etc/passwd</filename> entry, for security reasons.
- </para>
-
- <para>
- The session key of the Samba administrative account acts as an
- encryption key for setting the password of the machine trust
- account. The machine trust account will be created on-the-fly, or
- updated if it already exists.
- </para>
-
-</listitem>
-
-<listitem><para><emphasis>Windows NT</emphasis></para>
-
- <para> If the machine trust account was created manually, on the
- Identification Changes menu enter the domain name, but do not
- check the box "Create a Computer Account in the Domain." In this case,
- the existing machine trust account is used to join the machine to
- the domain.</para>
-
- <para> If the machine trust account is to be created
- on-the-fly, on the Identification Changes menu enter the domain
- name, and check the box "Create a Computer Account in the Domain." In
- this case, joining the domain proceeds as above for Windows 2000
- (i.e., you must supply a Samba administrative account when
- prompted).</para>
-</listitem>
-
-<listitem><para><emphasis>Samba</emphasis></para>
- <para>Joining a samba client to a domain is documented in
- the <link linkend="domain-member">Domain Member</link> chapter.
-</para></listitem>
-</itemizedlist>
-
-</sect3>
-</sect2>
-</sect1>
-
-<sect1>
-<title>Samba ADS Domain Control</title>
-
-<para>
-Not yet Freddie!
-</para>
-
-</sect1>
-
-<sect1>
-<title>Domain Control for Windows 9x/ME</title>
+<title>The Special Case of Windows 9x / Me / XP Home</title>
<para>
A domain and a workgroup are exactly the same thing in terms of network
@@ -686,7 +594,6 @@ profiles for MS Windows for workgroups and MS Windows 9X/ME clients
which are the focus of this section.
</para>
-
<para>
When an SMB client in a domain wishes to logon it broadcast requests for a
logon server. The first one to reply gets the job, and validates its
@@ -698,13 +605,17 @@ demonstrates how authentication is quite different from but closely
involved with domains.
</para>
-
<para>
Using these features you can make your clients verify their logon via
the Samba server; make clients run a batch file when they logon to
the network and download their preferences, desktop and start menu.
</para>
+<para><emphasis>
+MS Windows XP Home edition is NOT able to join a domain and does not permit
+the use of domain logons.
+</emphasis></para>
+
<para>
Before launching into the configuration instructions, it is
worthwhile to look at how a Windows 9x/ME client performs a logon:
@@ -757,7 +668,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<para>
The client then connects to the user's home share and searches for the
user's profile. As it turns out, you can specify the user's home share as
- a sharename and path. For example, \\server\fred\.profile.
+ a sharename and path. For example, \\server\fred\.winprofile.
If the profiles are found, they are implemented.
</para>
</listitem>
@@ -771,32 +682,29 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
</listitem>
</orderedlist>
-
-<sect2>
-<title>Configuring Network Logon Capability</title>
-
<para>
The main difference between a PDC and a Windows 9x logon server configuration is that
</para>
<itemizedlist>
-
-<listitem><para>
-Password encryption is not required for a Windows 9x logon server.
-</para></listitem>
-
<listitem><para>
-Windows 9x/ME clients do not possess machine trust accounts.
-</para></listitem>
+ Password encryption is not required for a Windows 9x logon server.
+ </para></listitem>
+ <listitem><para>
+ Windows 9x/ME clients do not possess machine trust accounts.
+ </para></listitem>
</itemizedlist>
<para>
-Therefore, a Samba PDC will also act as a Windows 9x logon server.
+A Samba PDC will also act as a Windows 9x logon server.
</para>
-<warning>
-<title>security mode and master browsers</title>
+</sect3>
+</sect2>
+
+<sect2>
+<title>Security Mode and Master Browsers</title>
<para>
There are a few comments to make in order to tie up some
@@ -836,9 +744,9 @@ has a domain controller, right?)
Therefore configuring a Samba box as a DC for a domain that
already by definition has a PDC is asking for trouble.
Therefore, you should always configure the Samba DC to be the DMB
-for its domain.
+for its domain and set <emphasis>security = user</emphasis>. This is the only
+officially supported mode of operation.
</para>
-</warning>
</sect2>
diff --git a/docs/docbook/projdoc/ServerType.xml b/docs/docbook/projdoc/ServerType.xml
index 91f0da9d8c..13377b1d5a 100644
--- a/docs/docbook/projdoc/ServerType.xml
+++ b/docs/docbook/projdoc/ServerType.xml
@@ -12,7 +12,7 @@ This chapter provides information regarding the types of server that Samba may b
configured to be. A Microsoft network administrator who wishes to migrate to or to
use Samba will want to know what within a Samba context, terms familiar to MS Windows
adminstrator mean. This means that it is essential also to define how critical security
-contexts function BEFORE we get into the details of how to configure the server itself.
+modes function BEFORE we get into the details of how to configure the server itself.
</para>
<para>
@@ -27,7 +27,7 @@ features and benefits. These may be for or against Samba.
</para>
<sect1>
-<title>Samba Features and Benefits</title>
+<title>Features and Benefits</title>
<para>
Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
@@ -132,6 +132,17 @@ reduce user complaints and administrator heartache.
</para>
<para>
+There are in the SMB/CIFS networking world only two types of security: <emphasis>USER Level</emphasis>
+and <emphasis>SHARE Level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>. In implementing these two <emphasis>security levels</emphasis> samba provides flexibilities
+that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of fice (5)
+ways that allow the security levels to be implemented. In actual fact, Samba implements
+<emphasis>SHARE Levl</emphasis> security only one way, but has for ways of implementing
+<emphasis>USER Level</emphasis> security. Collectively, we call the samba implementations
+<emphasis>Security Modes</emphasis>. These are: <emphasis>SHARE, USER, DOMAIN, ADS, and SERVER</emphasis>
+modes. They are documented in this chapter.
+</para>
+
+<para>
A SMB server tells the client at startup what <emphasis>security level</emphasis>
it is running. There are two options <emphasis>share level</emphasis> and
<emphasis>user level</emphasis>. Which of these two the client receives affects
@@ -244,7 +255,7 @@ with share mode security servers. You are strongly discouraged from use of this
</sect2>
<sect2>
-<title>Domain Level Security</title>
+<title>Domain Security Mode (User Level Security)</title>
<para>
When samba is operating in <emphasis>security = domain</emphasis> mode this means that
@@ -313,12 +324,12 @@ in this HOWTO collection.
</sect2>
<sect2>
-<title>ADS Level Security</title>
+<title>ADS Security Mode (User Level Security)</title>
<para>
Samba-2.2.x could join and Active Directory domain so long as the Active Directory domain
controller is configured for mixed mode operation, and is running NetBIOS over TCP/IP. MS
-Windows 2000 and later can be configured to run without NEtBIOS over TCP/IP, instead it
+Windows 2000 and later can be configured to run without NetBIOS over TCP/IP, instead it
can run SMB natively over TCP/IP.
</para>
@@ -334,7 +345,7 @@ to be a native Active Directory member server.
<para>
<programlisting>
- realm = your.kerberos.realm
+ realm = your.kerberos.REALM
security = ADS
encrypt passwords = Yes
@@ -353,7 +364,7 @@ regarding this configuration option.
</sect2>
<sect2>
-<title>Server Level Security</title>
+<title>Server Security (User Level Security)</title>
<para>
Server level security is a left over from the time when Samba was not capable of acting
diff --git a/docs/docbook/projdoc/samba-doc.xml b/docs/docbook/projdoc/samba-doc.xml
index bf120d3c68..8a582cf6e4 100644
--- a/docs/docbook/projdoc/samba-doc.xml
+++ b/docs/docbook/projdoc/samba-doc.xml
@@ -27,7 +27,7 @@ The most recent version of this document can be found at
<ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
on the "Documentation" page. Please send updates to
<ulink url="mailto:jelmer@samba.org">Jelmer Vernooij</ulink>,
-<ulink url="mailto:jht@samba.org">John Terpstra</ulink> or
+<ulink url="mailto:jht@samba.org">John H Terpstra</ulink> or
<ulink url="mailto:jerry@samba.org">Gerald (Jerry) Carter</ulink>.
</para>