diff options
-rw-r--r-- | docs/docbook/projdoc/ADS-HOWTO.sgml | 40 | ||||
-rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 33 | ||||
-rw-r--r-- | docs/docbook/projdoc/Diagnosis.sgml | 46 | ||||
-rw-r--r-- | docs/docbook/projdoc/NetworkBrowsing.sgml | 2 | ||||
-rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 82 | ||||
-rw-r--r-- | docs/docbook/projdoc/security_level.sgml | 13 |
6 files changed, 150 insertions, 66 deletions
diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index c36f150112..1ee0ab1962 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -19,16 +19,16 @@ Windows2000 KDC. <para>You must use at least the following 3 options in smb.conf:</para> <para><programlisting> - realm = YOUR.KERBEROS.REALM - security = ADS - encrypt passwords = yes + realm = YOUR.KERBEROS.REALM + security = ADS + encrypt passwords = yes </programlisting></para> <para> In case samba can't figure out your ads server using your realm name, use the <command>ads server</command> option in <filename>smb.conf</filename>: <programlisting> - ads server = your.kerberos.server + ads server = your.kerberos.server </programlisting> </para> @@ -49,10 +49,10 @@ In case samba can't figure out your ads server using your realm name, use the <para>The minimal configuration for <filename>krb5.conf</filename> is:</para> <para><programlisting> -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } + [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } </programlisting></para> <para>Test your config by doing a <userinput>kinit @@ -98,7 +98,9 @@ is only needed if you want kerberos support for &smbd; and &winbindd;. <para> As a user that has write permission on the Samba private directory (usually root) run: -<userinput>net ads join</userinput> +<programlisting> + <userinput>net join -U Administrator%password</userinput> +</programlisting> </para> <sect2> @@ -106,16 +108,16 @@ As a user that has write permission on the Samba private directory <para> <variablelist> -<varlistentry><term>"ADS support not compiled in"</term> -<listitem><para>Samba must be reconfigured (remove config.cache) and recompiled -(make clean all install) after the kerberos libs and headers are installed. -</para></listitem></varlistentry> - -<varlistentry><term>net ads join prompts for user name</term> -<listitem><para>You need to login to the domain using <userinput>kinit -<replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>. -<replaceable>USERNAME</replaceable> must be a user who has rights to add a machine -to the domain. </para></listitem></varlistentry> + <varlistentry><term>"ADS support not compiled in"</term> + <listitem><para>Samba must be reconfigured (remove config.cache) and recompiled + (make clean all install) after the kerberos libs and headers are installed. + </para></listitem></varlistentry> + + <varlistentry><term>net join prompts for user name</term> + <listitem><para>You need to login to the domain using <userinput>kinit + <replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>. + <replaceable>USERNAME</replaceable> must be a user who has rights to add a machine + to the domain. </para></listitem></varlistentry> </variablelist> </para> diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 9470688089..cd4168e446 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -12,15 +12,18 @@ <sect1> <title>Joining an NT Domain with Samba 3.0</title> +<!--changed by RS: IMHO, this would read better and be easier to reference as a listrather than written out in paragraph form--> + <para> + <variablelist> + <varlistentry><term>"Assumptions:"</term> + <listitem>NetBIOS name: <constant>SERV1</constant></listitem> + <listitem>Win2K/NT domain name: <constant>DOM</constant></listitem> + <listitem>Domain's PDC NetBIOS name: <constant>DOMPDC</constant></listitem> + <listitem>Domain's BDC NetBIOS names: <constant>DOMBDC1</constant> and <constant>DOMBDC2</constant></listitem> + </variablelist> + </para> - <para>Assume you have a Samba 3.0 server with a NetBIOS name of - <constant>SERV1</constant> and are joining a Win2k or NT domain called - <constant>DOM</constant>, which has a PDC with a NetBIOS name - of <constant>DOMPDC</constant> and two backup domain controllers - with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2 - </constant>.</para> - - <para>Firstly, you must edit your &smb.conf; file to tell Samba it should + <para>First, you must edit your &smb.conf; file to tell Samba it should now use domain security.</para> <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY"> @@ -66,9 +69,14 @@ <para>In order to actually join the domain, you must run this command:</para> - <para><prompt>root# </prompt><userinput>net rpc join -S DOMPDC + <para><prompt>root# </prompt><userinput>net join -S DOMPDC -U<replaceable>Administrator%password</replaceable></userinput></para> + <para> + If the <userinput>-S DOMPDC</userinput> argument is not given then + the domain name will be obtained from smb.conf. + </para> + <para>as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) is DOMPDC. The <replaceable>Administrator%password</replaceable> is @@ -83,7 +91,7 @@ <para>in your terminal window. See the <ulink url="net.8.html"> net(8)</ulink> man page for more details.</para> - <para>This process joins the server to thedomain + <para>This process joins the server to the domain without having to create the machine trust account on the PDC beforehand.</para> @@ -120,8 +128,7 @@ <para>Please refer to the <ulink url="winbind.html">Winbind paper</ulink> for information on a system to automatically assign UNIX uids and gids to Windows NT Domain users and groups. - This code is available in development branches only at the moment, - but will be moved to release branches soon.</para> + </para> <para>The advantage to domain-level security is that the authentication in domain-level security is passed down the authenticated @@ -129,7 +136,7 @@ means Samba servers now participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba servers into a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC.</para> + domain PDC to an account domain PDC).</para> <para>In addition, with <command>security = server</command> every Samba daemon on a server has to keep a connection open to the diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 9ab95dad86..1ca15d189a 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -20,13 +20,15 @@ then it is probably working fine. <para> You should do ALL the tests, in the order shown. We have tried to carefully choose them so later tests only use capabilities verified in -the earlier tests. +the earlier tests. However, do not stop at the first error as there +have been some instances when continuing with the tests has helped +to solve a problem. </para> <para> If you send one of the samba mailing lists an email saying "it doesn't work" and you have not followed this test procedure then you should not be surprised -your email is ignored. +if your email is ignored. </para> </sect1> @@ -46,7 +48,7 @@ The procedure is similar for other types of clients. <para> It is also assumed you know the name of an available share in your &smb.conf;. I will assume this share is called <replaceable>tmp</replaceable>. -You can add a <replaceable>tmp</replaceable> share like by adding the +You can add a <replaceable>tmp</replaceable> share like this by adding the following to &smb.conf;: </para> @@ -61,12 +63,13 @@ following to &smb.conf;: </para> <note><para> -These tests assume version 3.0 or later of the samba suite. Some commands shown did not exist in earlier versions. +These tests assume version 3.0 or later of the samba suite. +Some commands shown did not exist in earlier versions. </para></note> <para> Please pay attention to the error messages you receive. If any error message -reports that your server is being unfriendly you should first check that you +reports that your server is being unfriendly you should first check that your IP name resolution is correctly set up. eg: Make sure your <filename>/etc/resolv.conf</filename> file points to name servers that really do exist. </para> @@ -77,6 +80,21 @@ that the settings for your &smb.conf; file results in <command>dns proxy = no</c best way to check this is with <userinput>testparm smb.conf</userinput>. </para> +<para> +It is helpful to monitor the log files during testing by using the +<command>tail -F <replaceable>log_file_name</replaceable> in a separate +terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). +Relevant log files can be found (for default installations) in +<filename>/usr/local/samba/var</filename>. Also, connection logs from +machines can be found here or possibly in <filename>/var/log/samba</filename> +depending on how or if you specified logging in your &smb.conf; file. +</para> + +<para> +If you make changes to your &smb.conf; file while going through these test, +don't forget to restart &smbd; and &nmbd;. +</para> + </sect1> <sect1> @@ -124,6 +142,11 @@ software. You will need to relax the rules to let in the workstation in question, perhaps by allowing access from another subnet (on Linux this is done via the <application>ipfwadm</application> program.) </para> + +<para> +Note: Modern Linux distributions install ipchains/iptables by default. +This is a common problem that is often overlooked. +</para> </step> <step performance="required"> @@ -149,6 +172,13 @@ it is running, and check that the netbios-ssn port is in a LISTEN state using <userinput>netstat -a</userinput>. </para> +<note><para> +Some Unix / Linux systems use <command>xinetd</command> in place of +<command>inetd</command>. Check your system documentation for the location +of the control file/s for your particular system implementation of +this network super daemon. +</para></note> + <para> If you get a "session request failed" then the server refused the connection. If it says "Your server software is being unfriendly" then @@ -265,7 +295,7 @@ hosts. <para> If this doesn't give a similar result to the previous test then nmblookup isn't correctly getting your broadcast address through its -automatic mechanism. In this case you should experiment use the +automatic mechanism. In this case you should experiment with the <command>interfaces</command> option in &smb.conf; to manually configure your IP address, broadcast and netmask. </para> @@ -358,7 +388,7 @@ when you type <command>dir</command>. <step performance="required"> <para> -On the PC type the command <userinput>net view \\BIGSERVER</userinput>. You will +On the PC, type the command <userinput>net view \\BIGSERVER</userinput>. You will need to do this from within a "dos prompt" window. You should get back a list of available shares on the server. </para> @@ -463,7 +493,7 @@ an election is held at startup. <step performance="required"> <para> -From file manager try to browse the server. Your samba server should +>From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you specified in smb.conf). You should be able to double click on the name of the server and get a list of shares. If you get a "invalid diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml index e8d1b40710..29768ea42a 100644 --- a/docs/docbook/projdoc/NetworkBrowsing.sgml +++ b/docs/docbook/projdoc/NetworkBrowsing.sgml @@ -8,7 +8,7 @@ <title>Samba / MS Windows Network Browsing Guide</title> <para> -This document contains detailed informataion as well as a fast track guide to +This document contains detailed information as well as a fast track guide to implementing browsing across subnets and / or across workgroups (or domains). WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling except by way of name to address resolution. diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 7295a15875..be7a6d5201 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -169,6 +169,11 @@ Here is an example &smb.conf; for acting as a PDC: <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable> <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable> + ; User and Machine Account Backends + ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ... + ; mysqlsam, xmlsam, guest + <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest + ; we should act as the domain and local master browser <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64 <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes @@ -209,6 +214,20 @@ Here is an example &smb.conf; for acting as a PDC: <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 </programlisting></para> +<note><para> +The above parameters make for a full set of parameters that may define the server's mode +of operation. The following parameters are the essentials alone: + +<programlisting> + workgroup = NARNIA + domain logons = Yes + security = User +</programlisting> + +The additional parameters shown in the longer listing above just makes for a +more complete environment. +</para></note> + <para> There are a couple of points to emphasize in the above configuration. </para> @@ -264,13 +283,13 @@ shared secret with the domain controller. <para>A Windows PDC stores each machine trust account in the Windows Registry. A Samba-3 PDC also has to store machine trust account information -in a suitable back-end data store. With Samba-3 there can be multiple back-ends +in a suitable backend data store. With Samba-3 there can be multiple back-ends for this including: </para> <itemizedlist> <listitem><para> - <emphasis>smbpaswd</emphasis> - the plain ascii file stored used by + <emphasis>smbpasswd</emphasis> - the plain ascii file stored used by earlier versions of Samba. This file configuration option requires a Unix/Linux system account for EVERY entry (ie: both for user and for machine accounts). This file will be located in the <emphasis>private</emphasis> @@ -311,9 +330,16 @@ for this including: </para></listitem> </itemizedlist> -<para>Read the chapter about the <link linkend="passdb">User Database</link> +<para>Read the chapter about the <link linkend="passdb backend">User Database</link> for details.</para> +<note><para> +The new tdbsam and ldapsam account backends store vastly more information than +smbpasswd is capable of. The new backend database includes capacity to specify +per user settings for many parameters, over-riding global settings given in the +<filename>smb.conf</filename> file. eg: logon drive, logon home, logon path, etc. +</para></note> + <para> A Samba PDC, however, stores each machine trust account in two parts, as follows: @@ -420,7 +446,7 @@ the corresponding Unix account. equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created to the time which the client joins the domain and changes the password, - your domain is vulnerable to an intruder joining your domain using a + your domain is vulnerable to an intruder joining your domain using a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned! @@ -469,20 +495,22 @@ version of Windows. <itemizedlist> <listitem><para><emphasis>Windows 2000</emphasis></para> - <para> When the user elects to join the client to a domain, Windows prompts for - an account and password that is privileged to join the domain. A - Samba administrative account (i.e., a Samba account that has root - privileges on the Samba server) must be entered here; the - operation will fail if an ordinary user account is given. - The password for this account should be - set to a different password than the associated - <filename>/etc/passwd</filename> entry, for security - reasons. </para> - - <para>The session key of the Samba administrative account acts as an + <para> + When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A Samba administrative + account (i.e., a Samba account that has root privileges on the Samba server) must be + entered here; the operation will fail if an ordinary user account is given. + The password for this account should be set to a different password than the associated + <filename>/etc/passwd</filename> entry, for security reasons. + </para> + + <para> + The session key of the Samba administrative account acts as an encryption key for setting the password of the machine trust account. The machine trust account will be created on-the-fly, or - updated if it already exists.</para> + updated if it already exists. + </para> + </listitem> <listitem><para><emphasis>Windows NT</emphasis></para> @@ -522,11 +550,9 @@ systems?) won't create a user with a '$' in their name. </para> <para> -The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use <command>vipw</command> to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique User ID ! +The problem is only in the program used to make the entry. Once made, it works perfectly. +Create a user without the '$' using <command>vipw</command> to edit the entry, adding +the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID! </para> </sect2> @@ -547,7 +573,7 @@ will remove all network drive connections: </para> <para> -Further, if the machine is a already a 'member of a workgroup' that +Further, if the machine is already a 'member of a workgroup' that is the same name as the domain you are joining (bad idea) you will get this message. Change the workgroup name to something else, it does not matter what, reboot, and try again. @@ -569,8 +595,18 @@ is changed. The most common cause of a change in domain SID is when the domain name and/or the server name (netbios name) is changed. The only way to correct the problem is to restore the original domain SID or remove the domain client from the domain and rejoin. The domain -SID may be reset using either the smbpasswd or rpcclient utilities. +SID may be reset using either the net or rpcclient utilities. +</para> + +<para> +The reset or change the domain SID you can use the net command as follows: + +<programlisting> + net getlocalsid 'OLDNAME' + net setlocalsid 'SID' +</programlisting> </para> + </sect2> <sect2> diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index e840ff6c17..a59392bbac 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -128,6 +128,13 @@ That real authentication server can be another Samba server or can be a Windows NT server, the later natively capable of encrypted password support. </para> +<note><para> +<emphasis>Server</emphasis> level security is incompatible with what is known +as </empahsis>schannel</emphasis> or "sign and seal" protocols. This means that +if you want to use <empahsis>server</emphasis> level security you must disable +the use of "sign and seal" on all machines on your network. +</para></note> + <sect3> <title>Configuring Samba for Seemless Windows Network Integration</title> @@ -270,7 +277,7 @@ all authentication requests to be passed through to the domain controllers. <title>Samba as a member of an MS Windows NT security domain</title> <para> -This method involves additon of the following paramters in the &smb.conf; file: +This method involves addition of the following parameters in the &smb.conf; file: </para> <para><programlisting> @@ -297,7 +304,9 @@ MS Windows NT security domain. This is done as follows: </para></listitem> <listitem><para>Next, on the Linux system execute: - <command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> + <command>smbpasswd -r PDC_NAME -j DOMAIN_NAME</command> (samba 2.x) + + <command>net join -U administrator%password</command> (samba-3) </para></listitem> </itemizedlist> |