summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/DOMAIN_MEMBER.xml
diff options
context:
space:
mode:
authorAlexander Bokovoy <ab@samba.org>2003-04-30 21:26:24 +0000
committerAlexander Bokovoy <ab@samba.org>2003-04-30 21:26:24 +0000
commit3d6bb1823c3a82958ee2b80be4f953e23703eb9d (patch)
treecf26d289c63bb1365aab490938515991602b5db3 /docs/docbook/projdoc/DOMAIN_MEMBER.xml
parent318acec837279edaf74e331afc8ebdba5c05db71 (diff)
downloadsamba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.tar.gz
samba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.tar.bz2
samba-3d6bb1823c3a82958ee2b80be4f953e23703eb9d.zip
Docbook XML conversion: projdoc
(This used to be commit f7c9df751459da2d4a996d5f0135334fb3f87f69)
Diffstat (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.xml')
-rw-r--r--docs/docbook/projdoc/DOMAIN_MEMBER.xml161
1 files changed, 161 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
new file mode 100644
index 0000000000..a5921e8ce3
--- /dev/null
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
@@ -0,0 +1,161 @@
+<chapter id="domain-member">
+
+<chapterinfo>
+ &author.jeremy;
+ &author.jerry;
+ <pubdate>16 Apr 2001</pubdate>
+</chapterinfo>
+
+
+<title>Samba as a NT4 or Win2k domain member</title>
+
+<sect1>
+
+ <title>Joining an NT Domain with Samba 3.0</title>
+ <para><emphasis>Assumptions:</emphasis>
+ <programlisting>
+ NetBIOS name: SERV1
+ Win2K/NT domain name: DOM
+ Domain's PDC NetBIOS name: DOMPDC
+ Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2
+ </programlisting>
+ </para>
+
+ <para>First, you must edit your &smb.conf; file to tell Samba it should
+ now use domain security.</para>
+
+ <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
+ <parameter>security =</parameter></ulink> line in the [global] section
+ of your &smb.conf; to read:</para>
+
+ <para><command>security = domain</command></para>
+
+ <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
+ workgroup =</parameter></ulink> line in the [global] section to read: </para>
+
+ <para><command>workgroup = DOM</command></para>
+
+ <para>as this is the name of the domain we are joining. </para>
+
+ <para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
+ <parameter>encrypt passwords</parameter></ulink> set to <constant>yes
+ </constant> in order for your users to authenticate to the NT PDC.</para>
+
+ <para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
+ <parameter>password server =</parameter></ulink> line in the [global]
+ section to read: </para>
+
+ <para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para>
+
+ <para>These are the primary and backup domain controllers Samba
+ will attempt to contact in order to authenticate users. Samba will
+ try to contact each of these servers in order, so you may want to
+ rearrange this list in order to spread out the authentication load
+ among domain controllers.</para>
+
+ <para>Alternatively, if you want smbd to automatically determine
+ the list of Domain controllers to use for authentication, you may
+ set this line to be :</para>
+
+ <para><command>password server = *</command></para>
+
+ <para>This method, allows Samba to use exactly the same
+ mechanism that NT does. This
+ method either broadcasts or uses a WINS database in order to
+ find domain controllers to authenticate against.</para>
+
+ <para>In order to actually join the domain, you must run this
+ command:</para>
+
+ <para><prompt>root# </prompt><userinput>net join -S DOMPDC
+ -U<replaceable>Administrator%password</replaceable></userinput></para>
+
+ <para>
+ If the <userinput>-S DOMPDC</userinput> argument is not given then
+ the domain name will be obtained from smb.conf.
+ </para>
+
+ <para>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. The <replaceable>Administrator%password</replaceable> is
+ the login name and password for an account which has the necessary
+ privilege to add machines to the domain. If this is successful
+ you will see the message:</para>
+
+ <para><computeroutput>Joined domain DOM.</computeroutput>
+ or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput>
+ </para>
+
+ <para>in your terminal window. See the <ulink url="net.8.html">
+ net(8)</ulink> man page for more details.</para>
+
+ <para>This process joins the server to the domain
+ without having to create the machine trust account on the PDC
+ beforehand.</para>
+
+ <para>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</para>
+
+ <para><filename>/usr/local/samba/private/secrets.tdb</filename></para>
+
+ <para>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</para>
+
+ <para>Finally, restart your Samba daemons and get ready for
+ clients to begin using domain security!</para>
+</sect1>
+
+<sect1>
+ <title>Why is this better than security = server?</title>
+
+ <para>Currently, domain security in Samba doesn't free you from
+ having to create local Unix users to represent the users attaching
+ to your server. This means that if domain user <constant>DOM\fred
+ </constant> attaches to your domain security Samba server, there needs
+ to be a local Unix user fred to represent that user in the Unix
+ filesystem. This is very similar to the older Samba security mode
+ <ulink url="smb.conf.5.html#SECURITYEQUALSSERVER">security = server</ulink>,
+ where Samba would pass through the authentication request to a Windows
+ NT server in the same way as a Windows 95 or Windows 98 server would.
+ </para>
+
+ <para>Please refer to the <ulink url="winbind.html">Winbind
+ paper</ulink> for information on a system to automatically
+ assign UNIX uids and gids to Windows NT Domain users and groups.
+ </para>
+
+ <para>The advantage to domain-level security is that the
+ authentication in domain-level security is passed down the authenticated
+ RPC channel in exactly the same way that an NT server would do it. This
+ means Samba servers now participate in domain trust relationships in
+ exactly the same way NT servers do (i.e., you can add Samba servers into
+ a resource domain and have the authentication passed on from a resource
+ domain PDC to an account domain PDC).</para>
+
+ <para>In addition, with <command>security = server</command> every Samba
+ daemon on a server has to keep a connection open to the
+ authenticating server for as long as that daemon lasts. This can drain
+ the connection resources on a Microsoft NT server and cause it to run
+ out of available connections. With <command>security = domain</command>,
+ however, the Samba daemons connect to the PDC/BDC only for as long
+ as is necessary to authenticate the user, and then drop the connection,
+ thus conserving PDC connection resources.</para>
+
+ <para>And finally, acting in the same manner as an NT server
+ authenticating to a PDC means that as part of the authentication
+ reply, the Samba server gets the user identification information such
+ as the user SID, the list of NT groups the user belongs to, etc. </para>
+
+ <note><para> Much of the text of this document
+ was first published in the Web magazine <ulink url="http://www.linuxworld.com">
+ LinuxWorld</ulink> as the article <ulink
+ url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing
+ the NIS/NT Samba</ulink>.</para></note>
+
+</sect1>
+
+</chapter>