This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This used to be commit a1ffe2a29c0e6be54af09d6647b7f54369d75a1e)

1 files changed, 161 insertions, 0 deletions

diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
new file mode 100644
index 0000000000..a5921e8ce3
--- /dev/null
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml
@@ -0,0 +1,161 @@
+<chapter id="domain-member">
+
+<chapterinfo>
+	&author.jeremy;
+	&author.jerry;
+	<pubdate>16 Apr 2001</pubdate>
+</chapterinfo>
+
+
+<title>Samba as a NT4 or Win2k domain member</title>
+
+<sect1>
+
+	<title>Joining an NT Domain with Samba 3.0</title>
+	<para><emphasis>Assumptions:</emphasis>
+	<programlisting>
+		NetBIOS name: SERV1
+		Win2K/NT domain name: DOM
+		Domain's PDC NetBIOS name: DOMPDC
+		Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2
+	</programlisting>
+	</para>
+
+	<para>First, you must edit your &smb.conf; file to tell Samba it should
+	now use domain security.</para>
+	
+	<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
+	<parameter>security =</parameter></ulink> line in the [global] section 
+	of your &smb.conf; to read:</para>
+
+	<para><command>security = domain</command></para>
+
+	<para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
+	workgroup =</parameter></ulink> line in the [global] section to read: </para>
+
+	<para><command>workgroup = DOM</command></para>
+
+	<para>as this is the name of the domain we are joining. </para>
+
+	<para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
+	<parameter>encrypt passwords</parameter></ulink> set to <constant>yes
+	</constant> in order for your users to authenticate to the NT PDC.</para>
+
+	<para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
+	<parameter>password server =</parameter></ulink> line in the [global]
+	section to read: </para>
+
+	<para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para>
+
+	<para>These are the primary and backup domain controllers Samba 
+	will attempt to contact in order to authenticate users. Samba will 
+	try to contact each of these servers in order, so you may want to 
+	rearrange this list in order to spread out the authentication load 
+	among domain controllers.</para>
+
+	<para>Alternatively, if you want smbd to automatically determine 
+	the list of Domain controllers to use for authentication, you may 
+	set this line to be :</para>
+
+	<para><command>password server = *</command></para>
+
+	<para>This method, allows Samba to use exactly the same
+        mechanism that NT does. This 
+	method either broadcasts or uses a WINS database in order to
+	find domain controllers to authenticate against.</para>
+
+	<para>In order to actually join the domain, you must run this
+        command:</para>
+
+	<para><prompt>root# </prompt><userinput>net join -S DOMPDC
+	-U<replaceable>Administrator%password</replaceable></userinput></para>
+
+	<para>
+	If the <userinput>-S DOMPDC</userinput> argument is not given then
+	the domain name will be obtained from smb.conf.
+	</para>
+
+	<para>as we are joining the domain DOM and the PDC for that domain 
+	(the only machine that has write access to the domain SAM database) 
+	is DOMPDC. The <replaceable>Administrator%password</replaceable> is 
+	the login name and password for an account which has the necessary 
+	privilege to add machines to the domain.  If this is successful 
+	you will see the message:</para>
+
+	<para><computeroutput>Joined domain DOM.</computeroutput>
+	or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput>
+	</para>
+
+	<para>in your terminal window. See the <ulink url="net.8.html">
+	net(8)</ulink> man page for more details.</para>
+	
+	<para>This process joins the server to the domain
+	without having to create the machine trust account on the PDC
+	beforehand.</para>
+
+	<para>This command goes through the machine account password 
+	change protocol, then writes the new (random) machine account 
+	password for this Samba server into a file in the same directory 
+	in which an smbpasswd file would be stored - normally :</para>
+
+	<para><filename>/usr/local/samba/private/secrets.tdb</filename></para>
+
+	<para>This file is created and owned by root and is not 
+	readable by any other user. It is the key to the domain-level 
+	security for your system, and should be treated as carefully 
+	as a shadow password file.</para>
+
+	<para>Finally, restart your Samba daemons and get ready for 
+	clients to begin using domain security!</para>
+</sect1>
+
+<sect1>
+	<title>Why is this better than security = server?</title>
+
+	<para>Currently, domain security in Samba doesn't free you from 
+	having to create local Unix users to represent the users attaching 
+	to your server. This means that if domain user <constant>DOM\fred
+	</constant> attaches to your domain security Samba server, there needs 
+	to be a local Unix user fred to represent that user in the Unix 
+	filesystem. This is very similar to the older Samba security mode 
+	<ulink url="smb.conf.5.html#SECURITYEQUALSSERVER">security = server</ulink>, 
+	where Samba would pass through the authentication request to a Windows 
+	NT server in the same way as a Windows 95 or Windows 98 server would.
+	</para>
+	
+	<para>Please refer to the <ulink url="winbind.html">Winbind 
+	paper</ulink> for information on a system to automatically
+	assign UNIX uids and gids to Windows NT Domain users and groups.
+	</para>
+
+	<para>The advantage to domain-level security is that the 
+	authentication in domain-level security is passed down the authenticated 
+	RPC channel in exactly the same way that an NT server would do it. This 
+	means Samba servers now participate in domain trust relationships in 
+	exactly the same way NT servers do (i.e., you can add Samba servers into 
+	a resource domain and have the authentication passed on from a resource
+	domain PDC to an account domain PDC).</para>
+
+	<para>In addition, with <command>security = server</command> every Samba 
+	daemon on a server has to keep a connection open to the 
+	authenticating server for as long as that daemon lasts. This can drain 
+	the connection resources on a Microsoft NT server and cause it to run 
+	out of available connections. With <command>security = domain</command>, 
+	however, the Samba daemons connect to the PDC/BDC only for as long 
+	as is necessary to authenticate the user, and then drop the connection, 
+	thus conserving PDC connection resources.</para>
+
+	<para>And finally, acting in the same manner as an NT server 
+	authenticating to a PDC means that as part of the authentication 
+	reply, the Samba server gets the user identification information such 
+	as the user SID, the list of NT groups the user belongs to, etc. </para>
+
+	<note><para> Much of the text of this document 
+	was first published in the Web magazine <ulink url="http://www.linuxworld.com"> 	
+	LinuxWorld</ulink> as the article <ulink
+	url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing 
+	the NIS/NT Samba</ulink>.</para></note>
+
+</sect1>
+
+</chapter>