summaryrefslogtreecommitdiff
path: root/docs/htmldocs/samba-pdc.html
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2003-08-15 18:26:34 +0000
committerJelmer Vernooij <jelmer@samba.org>2003-08-15 18:26:34 +0000
commitd069dacb6e17866dd5d3862e1837a9cae008644f (patch)
treec1b660005d31583819c7f43f79168a3332150a85 /docs/htmldocs/samba-pdc.html
parentcedd66b6e67f4c463eaa072f0e6d87ee1f55718e (diff)
downloadsamba-d069dacb6e17866dd5d3862e1837a9cae008644f.tar.gz
samba-d069dacb6e17866dd5d3862e1837a9cae008644f.tar.bz2
samba-d069dacb6e17866dd5d3862e1837a9cae008644f.zip
Regenerate docs
(This used to be commit dc33e94161e4fc1ca6bf66a321c708c89bb276e3)
Diffstat (limited to 'docs/htmldocs/samba-pdc.html')
-rw-r--r--docs/htmldocs/samba-pdc.html510
1 files changed, 510 insertions, 0 deletions
diff --git a/docs/htmldocs/samba-pdc.html b/docs/htmldocs/samba-pdc.html
new file mode 100644
index 0000000000..aab2d4207c
--- /dev/null
+++ b/docs/htmldocs/samba-pdc.html
@@ -0,0 +1,510 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 5. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>&gt;</tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-pdc.html#id2886861">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2887076">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2887090">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2887335">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2887717">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2888205">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2888257">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2888272">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2888704">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2888850">Common Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2888857">'$' cannot be included in machine name</a></dt><dt><a href="samba-pdc.html#id2888916">Joining domain fails because of existing machine account</a></dt><dt><a href="samba-pdc.html#id2888975">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2889059">The machine trust account not accessible</a></dt><dt><a href="samba-pdc.html#id2889131">Account disabled</a></dt><dt><a href="samba-pdc.html#id2889164">Domain Controller Unavailable</a></dt><dt><a href="samba-pdc.html#id2889186">Can not log onto domain member workstation after joining domain</a></dt></dl></dd></dl></div><p><b><span class="emphasis"><em>The Essence of Learning:</em></span> </b>
+There are many who approach MS Windows networking with incredible misconceptions.
+That's OK, because it gives the rest of us plenty of opportunity to be of assistance.
+Those who really want help would be well advised to become familiar with information
+that is already available.
+</p><p>
+The reader is advised NOT to tackle this section without having first understood
+and mastered some basics. MS Windows networking is not particularly forgiving of
+misconfiguration. Users of MS Windows networking are likely to complain
+of persistent niggles that may be caused by a broken network configuration.
+To a great many people however, MS Windows networking starts with a domain controller
+that in some magical way is expected to solve all ills.
+</p><div class="figure"><a name="domain-example"></a><p class="title"><b>Figure 5.1. An Example Domain</b></p><div class="mediaobject"><img src="projdoc/imagefiles/domain.png" width="270" alt="An Example Domain"></div></div><p>
+From the Samba mailing list one can readily identify many common networking issues.
+If you are not clear on the following subjects, then it will do much good to read the
+sections of this HOWTO that deal with it. These are the most common causes of MS Windows
+networking problems:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Basic TCP/IP configuration</p></li><li><p>NetBIOS name resolution</p></li><li><p>Authentication configuration</p></li><li><p>User and Group configuration</p></li><li><p>Basic File and Directory Permission Control in UNIX/Linux</p></li><li><p>Understanding of how MS Windows clients interoperate in a network
+ environment</p></li></ul></div><p>
+Do not be put off; on the surface of it MS Windows networking seems so simple that anyone
+can do it. In fact, it is not a good idea to set up an MS Windows network with
+inadequate training and preparation. But let's get our first indelible principle out of the
+way: <span class="emphasis"><em>It is perfectly OK to make mistakes!</em></span> In the right place and at
+the right time, mistakes are the essence of learning. It is <span class="emphasis"><em>very much</em></span>
+not ok to make mistakes that cause loss of productivity and impose an avoidable financial
+burden on an organisation.
+</p><p>
+Where is the right place to make mistakes? Only out of harm's way! If you are going to
+make mistakes, then please do this on a test network, away from users and in such a way as
+to not inflict pain on others. Do your learning on a test network.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886861"></a>Features and Benefits</h2></div></div><div></div></div><p>
+<span class="emphasis"><em>What is the key benefit of Microsoft Domain security?</em></span>
+</p><p>
+In a word, <span class="emphasis"><em>Single Sign On</em></span>, or SSO for short. To many, this is the holy
+grail of MS Windows NT and beyond networking. SSO allows users in a well designed network
+to log onto any workstation that is a member of the domain that their user account is in
+(or in a domain that has an appropriate trust relationship with the domain they are visiting)
+and they will be able to log onto the network and access resources (shares, files, and printers)
+as if they are sitting at their home (personal) workstation. This is a feature of the Domain
+security protocols.
+</p><p>
+The benefits of Domain security are available to those sites that deploy a Samba PDC.
+A Domain provides a unique network security identifier (SID). Domain user and group security
+identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to
+the account. User and Group SIDs (the network SID plus the RID) can be used to create Access Control
+Lists (ACLs) attached to network resources to provide organizational access control. UNIX systems
+know only of local security identifiers.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Network clients of an MS Windows Domain security environment must be Domain members to be
+able to gain access to the advanced features provided. Domain membership involves more than just
+setting the workgroup name to the Domain name. It requires the creation of a Domain trust account
+for the workstation (called a machine account). Please refer to the chapter on
+<a href="domain-member.html" title="Chapter 7. Domain Membership">setting up samba as a domain member</a> for more information.
+</p></div><p>
+The following functionalities are new to the Samba-3 release:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Windows NT4 domain trusts
+ </p></li><li><p>
+ Adding users via the User Manager for Domains. This can be done on any MS Windows
+ client using the Nexus toolkit that is available from Microsoft's web site.
+ Samba-3 supports the use of the Microsoft Management Console for user management.
+ </p></li><li><p>
+ Introduces replaceable and multiple user account (authentication)
+ back ends. In the case where the back end is placed in an LDAP database,
+ Samba-3 confers the benefits of a back end that can be distributed, replicated,
+ and is highly scalable.
+ </p></li><li><p>
+ Implements full Unicode support. This simplifies cross locale internationalisation
+ support. It also opens up the use of protocols that Samba-2.2.x had but could not use due
+ to the need to fully support Unicode.
+ </p></li></ul></div><p>
+The following functionalities are NOT provided by Samba-3:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ SAM replication with Windows NT4 Domain Controllers
+ (i.e. a Samba PDC and a Windows NT BDC or vice versa). This means samba
+ cannot operate as a BDC when the PDC is Microsoft-based or
+ replicate account data to Windows-BDC's.
+ </p></li><li><p>
+ Acting as a Windows 2000 Domain Controller (i.e. Kerberos and
+ Active Directory) - In point of fact, Samba-3 DOES have some
+ Active Directory Domain Control ability that is at this time
+ purely experimental <span class="emphasis"><em>AND</em></span> that is certain
+ to change as it becomes a fully supported feature some time
+ during the Samba-3 (or later) life cycle. However, Active Directory is
+ more then just SMB - it's also LDAP, Kerberos, DHCP and other protocols
+ (with proprietary extensions, of course).
+ </p></li></ul></div><p>
+Windows 9x / Me / XP Home clients are not true members of a domain for reasons outlined
+in this chapter. The protocol for support of Windows 9x / Me style network (domain) logons
+is completely different from NT4 / Win2k type domain logons and has been officially supported
+for some time. These clients use the old LanMan Network Logon facilities that are supported
+in Samba since approximately the Samba-1.9.15 series.
+</p><p>
+Samba-3 has an implementation of group mapping between Windows NT groups
+and UNIX groups (this is really quite complicated to explain in a short space). This is
+discussed more fully in <a href="groupmapping.html" title="Chapter 12. Mapping MS Windows and UNIX Groups">the chapter on group mapping</a>.
+</p><p>
+Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
+user and machine trust account information in a suitable backend data store.
+Refer <a href="domain-member.html#machine-trust-accounts" title="MS Windows Workstation/Server Machine Trust Accounts">to the section on machine trust accounts</a>. With Samba-3 there can be multiple
+back-ends for this. A complete discussion of account database backends can be found in
+<a href="passdb.html" title="Chapter 11. Account Information Databases">the chapter on Account Information Databases</a>.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887076"></a>Basics of Domain Control</h2></div></div><div></div></div><p>
+Over the years, public perceptions of what Domain Control really is has taken on an
+almost mystical nature. Before we branch into a brief overview of Domain Control,
+there are three basic types of domain controllers:
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887090"></a>Domain Controller Types</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Primary Domain Controller</p></li><li><p>Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div><p>
+The <span class="emphasis"><em>Primary Domain Controller</em></span> or PDC plays an important role in the MS
+Windows NT4. In Windows 200x Domain Control architecture this role is held by domain controllers.
+There is folk lore that dictates that because of it's role in the MS Windows
+network, the domain controllers should be the most powerful and most capable machine in the network.
+As strange as it may seem to say this here, good over all network performance dictates that
+the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-Alone
+(or Domain Member) servers than in the domain controllers.
+</p><p>
+In the case of MS Windows NT4 style domains, it is the PDC that initiates a new Domain Control database.
+This forms a part of the Windows registry called the SAM (Security Account Manager). It plays a key
+part in NT4 type domain user authentication and in synchronisation of the domain authentication
+database with Backup Domain Controllers.
+</p><p>
+With MS Windows 200x Server based Active Directory domains, one domain controller initiates a potential
+hierarchy of domain controllers, each with their own area of delegated control. The master domain
+controller has the ability to override any down-stream controller, but a down-line controller has
+control only over it's down-line. With Samba-3 this functionality can be implemented using an
+LDAP based user and machine account back end.
+</p><p>
+New to Samba-3 is the ability to use a back-end database that holds the same type of data as
+the NT4 style SAM (Security Account Manager) database (one of the registry files).
+<sup>[<a name="id2887167" href="#ftn.id2887167">1</a>]</sup>
+</p><p>
+The <span class="emphasis"><em>Backup Domain Controller</em></span> or BDC plays a key role in servicing network
+authentication requests. The BDC is biased to answer logon requests in preference to the PDC.
+On a network segment that has a BDC and a PDC the BDC will be most likely to service network
+logon requests. The PDC will answer network logon requests when the BDC is too busy (high load).
+A BDC can be promoted to a PDC. If the PDC is on line at the time that a BDC is promoted to
+PDC, the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic
+operation; the PDC and BDC must be manually configured and changes need to be made likewise.
+</p><p>
+With MS Windows NT4, it is an install time decision what type of machine the server will be.
+It is possible to change the promote a BDC to a PDC and vice versa only, but the only way
+to convert a domain controller to a domain member server or a stand-alone server is to
+reinstall it. The install time choices offered are:
+</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Primary Domain Controller</em></span> - The one that seeds the domain SAM</p></li><li><p><span class="emphasis"><em>Backup Domain Controller</em></span> - One that obtains a copy of the domain SAM</p></li><li><p><span class="emphasis"><em>Domain Member Server</em></span> - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</p></li><li><p><span class="emphasis"><em>Stand-Alone Server</em></span> - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</p></li></ul></div><p>
+With MS Windows 2000 the configuration of domain control is done after the server has been
+installed. Samba-3 is capable of acting fully as a native member of a Windows 200x server
+Active Directory domain.
+</p><p>
+New to Samba-3 is the ability to function fully as an MS Windows NT4 style Domain Controller,
+excluding the SAM replication components. However, please be aware that Samba-3 support the
+MS Windows 200x domain control protocols also.
+</p><p>
+At this time any appearance that Samba-3 is capable of acting as an
+<span class="emphasis"><em>Domain Controller</em></span> in native ADS mode is limited and experimental in nature.
+This functionality should not be used until the Samba-Team offers formal support for it.
+At such a time, the documentation will be revised to duly reflect all configuration and
+management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP
+environment. However, there are certain compromises:
+
+</p><div class="itemizedlist"><ul type="disc"><li><p>No machine policy files</p></li><li><p>No Group Policy Objects</p></li><li><p>No synchronously executed AD logon scripts</p></li><li><p>Can't use ANY Active Directory management tools to manage users and machines</p></li><li><p>Registry changes tattoo the main registry, while with AD they do NOT. ie: Leave permanent changes in effect</p></li><li><p>Without AD you can not peprform the function of exporting specific applications to specific users or groups</p></li></ul></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887335"></a>Preparing for Domain Control</h3></div></div><div></div></div><p>
+There are two ways that MS Windows machines may interact with each other, with other servers,
+and with Domain Controllers: Either as <span class="emphasis"><em>Stand-Alone</em></span> systems, more commonly
+called <span class="emphasis"><em>Workgroup</em></span> members, or as full participants in a security system,
+more commonly called <span class="emphasis"><em>Domain</em></span> members.
+</p><p>
+It should be noted that <span class="emphasis"><em>Workgroup</em></span> membership involve no special configuration
+other than the machine being configured so that the network configuration has a commonly used name
+for it's workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this
+mode of configuration there are NO machine trust accounts and any concept of membership as such
+is limited to the fact that all machines appear in the network neighbourhood to be logically
+grouped together. Again, just to be clear: <span class="emphasis"><em>workgroup mode does not involve any security machine
+accounts</em></span>.
+</p><p>
+Domain member machines have a machine account in the Domain accounts database. A special procedure
+must be followed on each machine to affect Domain membership. This procedure, which can be done
+only by the local machine Administrator account, will create the Domain machine account (if
+if does not exist), and then initializes that account. When the client first logs onto the
+Domain it triggers a machine password change.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+When running a Domain all MS Windows NT / 200x / XP Professional clients should be configured
+as full Domain Members - IF A SECURE NETWORK IS WANTED. If the machine is NOT made a member of the
+Domain, then it will operate like a workgroup (stand-alone) machine. Please refer to
+<a href="domain-member.html" title="Chapter 7. Domain Membership">the chapter on domain membership</a> for information regarding HOW to make your MS Windows clients Domain members.
+</p></div><p>
+The following are necessary for configuring Samba-3 as an MS Windows NT4 style PDC for MS Windows
+NT4 / 200x / XP clients.
+</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows Networking</p></li><li><p>Correct designation of the Server Role (<a class="indexterm" name="id2887441"></a><i class="parameter"><tt>security</tt></i> = user)</p></li><li><p>Consistent configuration of Name Resolution (See chapter on <a href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide">Network Browsing</a> and on
+ <a href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba">Integrating Unix into Windows networks</a>)</p></li><li><p>Domain logons for Windows NT4 / 200x / XP Professional clients</p></li><li><p>Configuration of Roaming Profiles or explicit configuration to force local profile usage</p></li><li><p>Configuration of Network/System Policies</p></li><li><p>Adding and managing domain user accounts</p></li><li><p>Configuring MS Windows client machines to become domain members</p></li></ul></div><p>
+The following provisions are required to serve MS Windows 9x / Me Clients:
+</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows Networking</p></li><li><p>Correct designation of the Server Role (<a class="indexterm" name="id2887534"></a><i class="parameter"><tt>security</tt></i> = user)</p></li><li><p>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
+ members, they do not really participate in the security aspects of Domain logons as such)</p></li><li><p>Roaming Profile Configuration</p></li><li><p>Configuration of System Policy handling</p></li><li><p>Installation of the Network driver &quot;Client for MS Windows Networks&quot; and configuration
+ to log onto the domain</p></li><li><p>Placing Windows 9x / Me clients in user level security - if it is desired to allow
+ all client share access to be controlled according to domain user / group identities.</p></li><li><p>Adding and managing domain user accounts</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Roaming Profiles and System/Network policies are advanced network administration topics
+that are covered in the <a href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management">Profile Management</a> and
+<a href="PolicyMgmt.html" title="Chapter 23. System and Account Policies">Policy Management</a> chapters of this document. However, these are not
+necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.
+</p></div><p>
+A Domain Controller is an SMB/CIFS server that:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts
+ as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
+ to a WINS server over UDP unicast, or via DNS and Active Directory)
+ </p></li><li><p>
+ Provides the NETLOGON service (actually a collection of services that runs over
+ a number of protocols. These include the LanMan Logon service, the Netlogon service,
+ the Local Security Account service, and variations of them)
+ </p></li><li><p>
+ Provides a share called NETLOGON
+ </p></li></ul></div><p>
+For Samba to provide these is rather easy to configure. Each Samba Domain Controller must provide
+the NETLOGON service which Samba calls the <a class="indexterm" name="id2887666"></a><i class="parameter"><tt>domain logons</tt></i> functionality
+(after the name of the parameter in the <tt class="filename">smb.conf</tt> file). Additionally, one (1) server in a Samba-3
+Domain must advertise itself as the domain master browser<sup>[<a name="id2887690" href="#ftn.id2887690">2</a>]</sup>. This causes the Primary Domain Controller
+to claim domain specific NetBIOS name that identifies it as a domain master browser for its given
+domain/workgroup. Local master browsers in the same domain/workgroup on broadcast-isolated subnets
+then ask for a complete copy of the browse list for the whole wide area network. Browser clients
+will then contact their local master browser, and will receive the domain-wide browse list,
+instead of just the list for their broadcast-isolated subnet.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887717"></a>Domain Control - Example Configuration</h2></div></div><div></div></div><p>
+The first step in creating a working Samba PDC is to understand the parameters necessary
+in <tt class="filename">smb.conf</tt>. An example <tt class="filename">smb.conf</tt> for acting as a PDC can be found in the example
+<a href="samba-pdc.html#pdc-example" title="Example 5.1. smb.conf for being a PDC">for being a PDC</a>.
+</p><p>
+</p><div class="example"><a name="pdc-example"></a><p class="title"><b>Example 5.1. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam, guest</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 33</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>encrypt passwords = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%u</tt></i></td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td><i class="parameter"><tt>logon home = \\homeserver\%u\winprofile</tt></i></td></tr><tr><td><i class="parameter"><tt>logon script = logon.cmd</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = ntadmin</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr><tr><td><i class="parameter"><tt>create mask = 0600</tt></i></td></tr><tr><td><i class="parameter"><tt>directory mask = 0700</tt></i></td></tr></table></div><p>
+</p><p>
+The basic options shown above are explained as follows:
+</p><div class="variablelist"><dl><dt><span class="term">passdb backend</span></dt><dd><p>
+ This contains all the user and group account information. Acceptable values for a PDC
+ are: <span class="emphasis"><em>smbpasswd, tdbsam, ldapsam</em></span>. The 'guest' entry provides needed
+ default accounts.</p><p>
+ Where is is intended to use backup domain controllers (BDCs) the only logical choice is
+ to use LDAP so that the passdb backend can be distributed. The tdbsam and smbpasswd files
+ can not effectively be distributed and therefore should not be used.
+ </p></dd><dt><span class="term">Domain Control Parameters</span></dt><dd><p>
+ The parameters <span class="emphasis"><em>os level, preferred master, domain master, security,
+ encrypt passwords, domain logons</em></span> play a central role in assuring domain
+ control and network logon support.</p><p>
+ The <span class="emphasis"><em>os level</em></span> must be set at or above a value of 32. A domain controller
+ must be the domain master browser, must be set in <span class="emphasis"><em>user</em></span> mode security,
+ must support Microsoft compatible encrypted passwords, and must provide the network logon
+ service (domain logons). Encrypted passwords must be enabled, for more details on how
+ to do this, refer to <a href="passdb.html" title="Chapter 11. Account Information Databases">the chapter on account information databases</a>.
+ </p></dd><dt><span class="term">Environment Parameters</span></dt><dd><p>
+ The parameters <span class="emphasis"><em>logon path, logon home, logon drive, logon script</em></span> are
+ environment support settings that help to facilitate client logon operations and that help
+ to provide automated control facilities to ease network management overheads. Please refer
+ to the man page information for these parameters.
+ </p></dd><dt><span class="term">NETLOGON Share</span></dt><dd><p>
+ The NETLOGON share plays a central role in domain logon and domain membership support.
+ This share is provided on all Microsoft domain controllers. It is used to provide logon
+ scripts, to store Group Policy files (NTConfig.POL), as well as to locate other common
+ tools that may be needed for logon processing. This is an essential share on a domain controller.
+ </p></dd><dt><span class="term">PROFILE Share</span></dt><dd><p>
+ This share is used to store user desktop profiles. Eash user must have a directory at the root
+ of this share. This directory must be write enabled for the user and must be globally read enabled.
+ Samba-3 has a VFS module called 'fake_permissions' that may be installed on this share. This will
+ allow a Samba administrator to make the directory read only to everyone. Of course this is useful
+ only after the profile has been properly created.
+ </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The above parameters make for a full set of parameters that may define the server's mode
+of operation. The following <tt class="filename">smb.conf</tt> parameters are the essentials alone:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = User</tt></i></td></tr></table><p>
+</p><p>
+The additional parameters shown in the longer listing above just makes for
+more complete explanation.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888205"></a>Samba ADS Domain Control</h2></div></div><div></div></div><p>
+Samba-3 is not, and can not act as, an Active Directory Server. It can not truly function as
+an Active Directory Primary Domain Controller. The protocols for some of the functionality
+the Active Directory Domain Controllers has been partially implemented on an experimental
+only basis. Please do NOT expect Samba-3 to support these protocols. Do not depend
+on any such functionality either now or in the future. The Samba-Team may remove these
+experimental features or may change their behaviour. This is mentioned for the benefit of those
+who have discovered secret capabilities in samba-3 and who have asked when this functionality will be
+completed. The answer is: Maybe or maybe never!
+</p><p>
+To be sure: Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4 style
+domain controllers have. Samba-3 does NOT have all the capabilities of Windows NT4, but it does have
+a number of features that Windows NT4 domain contollers do not have. In short, Samba-3 is not NT4 and it
+is not Windows Server 200x and it is not an Active Directory server. We hope this is plain and simple
+enough for all to understand.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888257"></a>Domain and Network Logon Configuration</h2></div></div><div></div></div><p>
+The subject of Network or Domain Logons is discussed here because it forms
+an integral part of the essential functionality that is provided by a Domain Controller.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888272"></a>Domain Network Logon Service</h3></div></div><div></div></div><p>
+All Domain Controllers must run the netlogon service (<span class="emphasis"><em>domain logons</em></span>
+in Samba). One Domain Controller must be configured with <a class="indexterm" name="id2888289"></a><i class="parameter"><tt>domain master</tt></i> = Yes
+(the Primary Domain Controller); on ALL Backup Domain Controllers <a class="indexterm" name="id2888305"></a><i class="parameter"><tt>domain master</tt></i> = No
+must be set.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888321"></a>Example Configuration</h4></div></div><div></div></div><div class="example"><a name="id2888328"></a><p class="title"><b>Example 5.2. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = (Yes on PDC, No on BDCs)</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Network Logon Service</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = No</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888412"></a>The Special Case of MS Windows XP Home Edition</h4></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+MS Windows XP Home Edition does not have the ability to join any type of Domain
+security facility. Unlike, MS Windows 9x / Me, MS Windows XP Home Edition also completely
+lacks the ability to log onto a network.
+</p></div><p>
+To be completely clear: If you want MS Windows XP Home Edition to integrate with your
+MS Windows NT4 or Active Directory Domain security understand - IT CAN NOT BE DONE.
+Your only choice is to buy the upgrade pack from MS Windows XP Home Edition to
+MS Windows XP Professional.
+</p><p>
+Now that this has been said, please do NOT ask the mailing list, or email any of the
+Samba-Team members with your questions asking how to make this work. It can't be done.
+If it can be done, then to do so would violate your software license agreement with
+Microsoft, and we recommend that you do not do that.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888450"></a>The Special Case of Windows 9x / Me</h4></div></div><div></div></div><p>
+A domain and a workgroup are exactly the same in terms of network
+browsing. The difference is that a distributable authentication
+database is associated with a domain, for secure login access to a
+network. Also, different access rights can be granted to users if they
+successfully authenticate against a domain logon server. Samba-3 does this
+now in the same way that MS Windows NT/2K.
+</p><p>
+The SMB client logging on to a domain has an expectation that every other
+server in the domain should accept the same authentication information.
+Network browsing functionality of domains and workgroups is identical and
+is explained in this documentation under the browsing discussions.
+It should be noted, that browsing is totally orthogonal to logon support.
+</p><p>
+Issues related to the single-logon network model are discussed in this
+section. Samba supports domain logons, network logon scripts, and user
+profiles for MS Windows for workgroups and MS Windows 9X/ME clients
+which are the focus of this section.
+</p><p>
+When an SMB client in a domain wishes to logon, it broadcasts requests for a
+logon server. The first one to reply gets the job, and validates its
+password using whatever mechanism the Samba administrator has installed.
+It is possible (but ill advised ) to create a domain where the user
+database is not shared between servers, i.e. they are effectively workgroup
+servers advertising themselves as participating in a domain. This
+demonstrates how authentication is quite different from but closely
+involved with domains.
+</p><p>
+Using these features you can make your clients verify their logon via
+the Samba server; make clients run a batch file when they logon to
+the network and download their preferences, desktop and start menu.
+</p><p><span class="emphasis"><em>
+MS Windows XP Home edition is NOT able to join a domain and does not permit
+the use of domain logons.
+</em></span></p><p>
+Before launching into the configuration instructions, it is
+worthwhile to look at how a Windows 9x/ME client performs a logon:
+</p><div class="orderedlist"><ol type="1"><li><p>
+ The client broadcasts (to the IP broadcast address of the subnet it is in)
+ a NetLogon request. This is sent to the NetBIOS name DOMAIN&lt;#1c&gt; at the
+ NetBIOS layer. The client chooses the first response it receives, which
+ contains the NetBIOS name of the logon server to use in the format of
+ <tt class="filename">\\SERVER</tt>.
+ </p></li><li><p>
+ The client then connects to that server, logs on (does an SMBsessetupX) and
+ then connects to the IPC$ share (using an SMBtconX).
+ </p></li><li><p>
+ The client then does a NetWkstaUserLogon request, which retrieves the name
+ of the user's logon script.
+ </p></li><li><p>
+ The client then connects to the NetLogon share and searches for said script
+ and if it is found and can be read, is retrieved and executed by the client.
+ After this, the client disconnects from the NetLogon share.
+ </p></li><li><p>
+ The client then sends a NetUserGetInfo request to the server, to retrieve
+ the user's home share, which is used to search for profiles. Since the
+ response to the NetUserGetInfo request does not contain much more than
+ the user's home share, profiles for Win9X clients MUST reside in the user
+ home directory.
+ </p></li><li><p>
+ The client then connects to the user's home share and searches for the
+ user's profile. As it turns out, you can specify the user's home share as
+ a sharename and path. For example, <tt class="filename">\\server\fred\.winprofile</tt>.
+ If the profiles are found, they are implemented.
+ </p></li><li><p>
+ The client then disconnects from the user's home share, and reconnects to
+ the NetLogon share and looks for <tt class="filename">CONFIG.POL</tt>, the policies file. If this is
+ found, it is read and implemented.
+ </p></li></ol></div><p>
+The main difference between a PDC and a Windows 9x logon server configuration is that
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Password encryption is not required for a Windows 9x logon server. But note
+ that beginning with MS Windows 98 the default setting is that plain-text
+ password support is disabled. It can be re-enabled with the registry
+ changes that are documented in the chapter on Policies.
+ </p></li><li><p>
+ Windows 9x/ME clients do not require and do not use machine trust accounts.
+ </p></li></ul></div><p>
+A Samba PDC will act as a Windows 9x logon server; after all, it does provide the
+network logon services that MS Windows 9x / Me expect to find.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Use of plain-text passwords is strongly discouraged. Where used they are easily detected
+using a sniffer tool to examine network traffic.
+</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888704"></a>Security Mode and Master Browsers</h3></div></div><div></div></div><p>
+There are a few comments to make in order to tie up some
+loose ends. There has been much debate over the issue of whether
+or not it is ok to configure Samba as a Domain Controller in security
+modes other than <tt class="constant">USER</tt>. The only security mode
+which will not work due to technical reasons is <tt class="constant">SHARE</tt>
+mode security. <tt class="constant">DOMAIN</tt> and <tt class="constant">SERVER</tt>
+mode security are really just a variation on SMB user level security.
+</p><p>
+Actually, this issue is also closely tied to the debate on whether
+or not Samba must be the domain master browser for its workgroup
+when operating as a DC. While it may technically be possible
+to configure a server as such (after all, browsing and domain logons
+are two distinctly different functions), it is not a good idea to do
+so. You should remember that the DC must register the DOMAIN&lt;#1b&gt; NetBIOS
+name. This is the name used by Windows clients to locate the DC.
+Windows clients do not distinguish between the DC and the DMB.
+A DMB is a Domain Master Browser - see <a href="NetworkBrowsing.html#DMB" title="Setting up WORKGROUP Browsing">Domain Master Browser</a>.
+For this reason, it is very wise to configure the Samba DC as the DMB.
+</p><p>
+Now back to the issue of configuring a Samba DC to use a mode other
+than <a class="indexterm" name="id2888773"></a><i class="parameter"><tt>security</tt></i> = user. If a Samba host is configured to use
+another SMB server or DC in order to validate user connection
+requests, then it is a fact that some other machine on the network
+(the <a class="indexterm" name="id2888790"></a><i class="parameter"><tt>password server</tt></i>) knows more about the user than the Samba host.
+99% of the time, this other host is a domain controller. Now
+in order to operate in domain mode security, the <a class="indexterm" name="id2888808"></a><i class="parameter"><tt>workgroup</tt></i> parameter
+must be set to the name of the Windows NT domain (which already
+has a domain controller). If the domain does NOT already have a Domain Controller
+then you do not yet have a Domain!
+</p><p>
+Configuring a Samba box as a DC for a domain that already by definition has a
+PDC is asking for trouble. Therefore, you should always configure the Samba DC
+to be the DMB for its domain and set <a class="indexterm" name="id2888832"></a><i class="parameter"><tt>security</tt></i> = user.
+This is the only officially supported mode of operation.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888850"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888857"></a>'$' cannot be included in machine name</h3></div></div><div></div></div><p>
+A 'machine account', (typically) stored in <tt class="filename">/etc/passwd</tt>,
+takes the form of the machine name with a '$' appended. FreeBSD (and other BSD
+systems?) won't create a user with a '$' in their name.
+</p><p>
+The problem is only in the program used to make the entry. Once made, it works perfectly.
+Create a user without the '$'. Then use <b class="command">vipw</b> to edit the entry, adding
+the '$'. Or create the whole entry with vipw if you like; make sure you use a unique User ID!
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The UNIX tool <b class="command">vipw</b> is a common tool for directly editting the <tt class="filename">/etc/passwd</tt> file.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888916"></a>Joining domain fails because of existing machine account</h3></div></div><div></div></div><p>&#8220;<span class="quote">I get told &quot;You already have a connection to the Domain....&quot;
+or &quot;Cannot join domain, the credentials supplied conflict with an
+existing set..&quot; when creating a machine trust account.</span>&#8221;</p><p>
+This happens if you try to create a machine trust account from the
+machine itself and already have a connection (e.g. mapped drive)
+to a share (or IPC$) on the Samba PDC. The following command
+will remove all network drive connections:
+</p><pre class="screen">
+<tt class="prompt">C:\&gt; </tt><b class="userinput"><tt>net use * /d</tt></b>
+</pre><p>
+Further, if the machine is already a 'member of a workgroup' that
+is the same name as the domain you are joining (bad idea) you will
+get this message. Change the workgroup name to something else, it
+does not matter what, reboot, and try again.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888975"></a>The system can not log you on (C000019B)....</h3></div></div><div></div></div><p>&#8220;<span class="quote">I joined the domain successfully but after upgrading
+to a newer version of the Samba code I get the message, <span class="errorname">The system
+can not log you on (C000019B), Please try again or consult your
+system administrator</span> when attempting to logon.</span>&#8221;
+</p><p>
+This occurs when the domain SID stored in the secrets.tdb database
+is changed. The most common cause of a change in domain SID is when
+the domain name and/or the server name (NetBIOS name) is changed.
+The only way to correct the problem is to restore the original domain
+SID or remove the domain client from the domain and rejoin. The domain
+SID may be reset using either the net or rpcclient utilities.
+</p><p>
+The reset or change the domain SID you can use the net command as follows:
+
+</p><pre class="screen">
+<tt class="prompt">root# </tt><b class="userinput"><tt>net getlocalsid 'OLDNAME'</tt></b>
+<tt class="prompt">root# </tt><b class="userinput"><tt>net setlocalsid 'SID'</tt></b>
+</pre><p>
+</p><p>
+Workstation machine trust accounts work only with the Domain (or network) SID. If this SID changes
+then domain members (workstations) will not be able to log onto the domain. The original Domain SID
+can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join
+it to the domain.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889059"></a>The machine trust account not accessible</h3></div></div><div></div></div><p>
+ &#8220;<span class="quote">When I try to join the domain I get the message <span class="errorname">The machine account
+for this computer either does not exist or is not accessible</span>. What's
+wrong?</span>&#8221;
+</p><p>
+This problem is caused by the PDC not having a suitable machine trust account.
+If you are using the <a class="indexterm" name="id2889085"></a><i class="parameter"><tt>add machine script</tt></i> method to create
+accounts then this would indicate that it has not worked. Ensure the domain
+admin user system is working.
+</p><p>
+Alternatively if you are creating account entries manually then they
+have not been created correctly. Make sure that you have the entry
+correct for the machine trust account in <tt class="filename">smbpasswd</tt> file on the Samba PDC.
+If you added the account using an editor rather than using the smbpasswd
+utility, make sure that the account name is the machine NetBIOS name
+with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
+in both /etc/passwd and the smbpasswd file.
+</p><p>
+Some people have also reported
+that inconsistent subnet masks between the Samba server and the NT
+client can cause this problem. Make sure that these are consistent
+for both client and server.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889131"></a>Account disabled</h3></div></div><div></div></div><p>&#8220;<span class="quote">When I attempt to login to a Samba Domain from a NT4/W2K workstation,
+ I get a message about my account being disabled.</span>&#8221;</p><p>
+Enable the user accounts with <b class="userinput"><tt>smbpasswd -e <i class="replaceable"><tt>username</tt></i>
+</tt></b>, this is normally done as an account is created.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889164"></a>Domain Controller Unavailable</h3></div></div><div></div></div><p>&#8220;<span class="quote">Until a few minutes after Samba has started, clients get the error &quot;Domain Controller Unavailable&quot;</span>&#8221;</p><p>
+ A domain controller has to announce on the network who it is. This usually takes a while.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889186"></a>Can not log onto domain member workstation after joining domain</h3></div></div><div></div></div><p>After successfully joining the domain user logons fail with one of two messages:</p><p>One to the effect that the domain controller can not be found, the other claiming that the
+ account does not exist in the domain or that the password is incorrect.</p><p>This may be due to incompatible settings between
+ the Windows client and the Samba-3 server for <span class="emphasis"><em>schannel</em></span> (secure channel) settings
+ or <span class="emphasis"><em>smb signing</em></span> settings. Check your samba settings for <span class="emphasis"><em>
+ client schannel, server schannel, client signing, server signing</em></span> by executing:
+ <b class="command">testparm -v | more</b> and looking for the value of these parameters.
+ </p><p>
+ Also use the Microsoft Management Console - Local Security Settings. This tool is available from the
+ Control Panel. The Policy settings are found in the Local Policies / Securty Options area and are prefixed by
+ <span class="emphasis"><em>Secure Channel: ..., and Digitally sign ...</em></span>.
+ </p><p>
+ It is important that these be set consistently with the Samba-3 server settings.
+ </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2887167" href="#id2887167">1</a>] </sup>See also <a href="passdb.html" title="Chapter 11. Account Information Databases">the chapter on Account Information Databases</a>.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2887690" href="#id2887690">2</a>] </sup>See also <a href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide">the chapter about network browsing</a></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Server Types and Security Modes </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Backup Domain Control</td></tr></table></div></body></html>