diff options
author | Alexander Bokovoy <ab@samba.org> | 2003-04-30 21:26:24 +0000 |
---|---|---|
committer | Alexander Bokovoy <ab@samba.org> | 2003-04-30 21:26:24 +0000 |
commit | 3d6bb1823c3a82958ee2b80be4f953e23703eb9d (patch) | |
tree | cf26d289c63bb1365aab490938515991602b5db3 /docs/docbook/projdoc/DOMAIN_MEMBER.xml | |
parent | 318acec837279edaf74e331afc8ebdba5c05db71 (diff) | |
download | samba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.tar.gz samba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.tar.bz2 samba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.zip |
Docbook XML conversion: projdoc
(This used to be commit f7c9df751459da2d4a996d5f0135334fb3f87f69)
Diffstat (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.xml')
-rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.xml | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml new file mode 100644 index 0000000000..a5921e8ce3 --- /dev/null +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -0,0 +1,161 @@ +<chapter id="domain-member"> + +<chapterinfo> + &author.jeremy; + &author.jerry; + <pubdate>16 Apr 2001</pubdate> +</chapterinfo> + + +<title>Samba as a NT4 or Win2k domain member</title> + +<sect1> + + <title>Joining an NT Domain with Samba 3.0</title> + <para><emphasis>Assumptions:</emphasis> + <programlisting> + NetBIOS name: SERV1 + Win2K/NT domain name: DOM + Domain's PDC NetBIOS name: DOMPDC + Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 + </programlisting> + </para> + + <para>First, you must edit your &smb.conf; file to tell Samba it should + now use domain security.</para> + + <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY"> + <parameter>security =</parameter></ulink> line in the [global] section + of your &smb.conf; to read:</para> + + <para><command>security = domain</command></para> + + <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter> + workgroup =</parameter></ulink> line in the [global] section to read: </para> + + <para><command>workgroup = DOM</command></para> + + <para>as this is the name of the domain we are joining. </para> + + <para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS"> + <parameter>encrypt passwords</parameter></ulink> set to <constant>yes + </constant> in order for your users to authenticate to the NT PDC.</para> + + <para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER"> + <parameter>password server =</parameter></ulink> line in the [global] + section to read: </para> + + <para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para> + + <para>These are the primary and backup domain controllers Samba + will attempt to contact in order to authenticate users. Samba will + try to contact each of these servers in order, so you may want to + rearrange this list in order to spread out the authentication load + among domain controllers.</para> + + <para>Alternatively, if you want smbd to automatically determine + the list of Domain controllers to use for authentication, you may + set this line to be :</para> + + <para><command>password server = *</command></para> + + <para>This method, allows Samba to use exactly the same + mechanism that NT does. This + method either broadcasts or uses a WINS database in order to + find domain controllers to authenticate against.</para> + + <para>In order to actually join the domain, you must run this + command:</para> + + <para><prompt>root# </prompt><userinput>net join -S DOMPDC + -U<replaceable>Administrator%password</replaceable></userinput></para> + + <para> + If the <userinput>-S DOMPDC</userinput> argument is not given then + the domain name will be obtained from smb.conf. + </para> + + <para>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <replaceable>Administrator%password</replaceable> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</para> + + <para><computeroutput>Joined domain DOM.</computeroutput> + or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput> + </para> + + <para>in your terminal window. See the <ulink url="net.8.html"> + net(8)</ulink> man page for more details.</para> + + <para>This process joins the server to the domain + without having to create the machine trust account on the PDC + beforehand.</para> + + <para>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</para> + + <para><filename>/usr/local/samba/private/secrets.tdb</filename></para> + + <para>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</para> + + <para>Finally, restart your Samba daemons and get ready for + clients to begin using domain security!</para> +</sect1> + +<sect1> + <title>Why is this better than security = server?</title> + + <para>Currently, domain security in Samba doesn't free you from + having to create local Unix users to represent the users attaching + to your server. This means that if domain user <constant>DOM\fred + </constant> attaches to your domain security Samba server, there needs + to be a local Unix user fred to represent that user in the Unix + filesystem. This is very similar to the older Samba security mode + <ulink url="smb.conf.5.html#SECURITYEQUALSSERVER">security = server</ulink>, + where Samba would pass through the authentication request to a Windows + NT server in the same way as a Windows 95 or Windows 98 server would. + </para> + + <para>Please refer to the <ulink url="winbind.html">Winbind + paper</ulink> for information on a system to automatically + assign UNIX uids and gids to Windows NT Domain users and groups. + </para> + + <para>The advantage to domain-level security is that the + authentication in domain-level security is passed down the authenticated + RPC channel in exactly the same way that an NT server would do it. This + means Samba servers now participate in domain trust relationships in + exactly the same way NT servers do (i.e., you can add Samba servers into + a resource domain and have the authentication passed on from a resource + domain PDC to an account domain PDC).</para> + + <para>In addition, with <command>security = server</command> every Samba + daemon on a server has to keep a connection open to the + authenticating server for as long as that daemon lasts. This can drain + the connection resources on a Microsoft NT server and cause it to run + out of available connections. With <command>security = domain</command>, + however, the Samba daemons connect to the PDC/BDC only for as long + as is necessary to authenticate the user, and then drop the connection, + thus conserving PDC connection resources.</para> + + <para>And finally, acting in the same manner as an NT server + authenticating to a PDC means that as part of the authentication + reply, the Samba server gets the user identification information such + as the user SID, the list of NT groups the user belongs to, etc. </para> + + <note><para> Much of the text of this document + was first published in the Web magazine <ulink url="http://www.linuxworld.com"> + LinuxWorld</ulink> as the article <ulink + url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing + the NIS/NT Samba</ulink>.</para></note> + +</sect1> + +</chapter> |