summaryrefslogtreecommitdiff
path: root/docs/docbook/howto
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/howto')
-rw-r--r--docs/docbook/howto/DOMAIN_MEMBER.sgml163
-rw-r--r--docs/docbook/howto/NT_Security.sgml342
-rw-r--r--docs/docbook/howto/samba-pdc-howto.sgml778
3 files changed, 0 insertions, 1283 deletions
diff --git a/docs/docbook/howto/DOMAIN_MEMBER.sgml b/docs/docbook/howto/DOMAIN_MEMBER.sgml
deleted file mode 100644
index 888b801742..0000000000
--- a/docs/docbook/howto/DOMAIN_MEMBER.sgml
+++ /dev/null
@@ -1,163 +0,0 @@
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-
-<article>
-
-<sect1>
-
- <title>Joining an NT Domain with Samba 2.2</title>
-
- <para>In order for a Samba-2 server to join an NT domain,
- you must first add the NetBIOS name of the Samba server to the
- NT domain on the PDC using Server Manager for Domains. This creates
- the machine account in the domain (PDC) SAM. Note that you should
- add the Samba server as a "Windows NT Workstation or Server",
- <emphasis>NOT</emphasis> as a Primary or backup domain controller.</para>
-
- <para>Assume you have a Samba-2 server with a NetBIOS name of
- <constant>SERV1</constant> and are joining an NT domain called
- <constant>DOM</constant>, which has a PDC with a NetBIOS name
- of <constant>DOMPDC</constant> and two backup domain controllers
- with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
- </constant>.</para>
-
- <para>In order to join the domain, first stop all Samba daemons
- and run the command:</para>
-
- <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
- </userinput></para>
-
- <para>as we are joining the domain DOM and the PDC for that domain
- (the only machine that has write access to the domain SAM database)
- is DOMPDC. If this is successful you will see the message:</para>
-
- <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
- </para>
-
- <para>in your terminal window. See the <ulink url="smbpasswd.8.html">
- smbpasswd(8)</ulink> man page for more details.</para>
-
- <para>This command goes through the machine account password
- change protocol, then writes the new (random) machine account
- password for this Samba server into a file in the same directory
- in which an smbpasswd file would be stored - normally :</para>
-
- <para><filename>/usr/local/samba/private</filename></para>
-
- <para>In Samba 2.0.x, the filename looks like this:</para>
-
- <para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.
- <replaceable>&lt;Samba Server Name&gt;</replaceable>.mac</filename></para>
-
- <para>The <filename>.mac</filename> suffix stands for machine account
- password file. So in our example above, the file would be called:</para>
-
- <para><filename>DOM.SERV1.mac</filename></para>
-
- <para>In Samba 2.2, this file has been replaced with a TDB
- (Trivial Database) file named <filename>secrets.tdb</filename>.
- </para>
-
-
- <para>This file is created and owned by root and is not
- readable by any other user. It is the key to the domain-level
- security for your system, and should be treated as carefully
- as a shadow password file.</para>
-
- <para>Now, before restarting the Samba daemons you must
- edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
- </ulink> file to tell Samba it should now use domain security.</para>
-
- <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
- <parameter>security =</parameter></ulink> line in the [global] section
- of your smb.conf to read:</para>
-
- <para><command>security = domain</command></para>
-
- <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
- workgroup =</parameter></ulink> line in the [global] section to read: </para>
-
- <para><command>workgroup = DOM</command></para>
-
- <para>as this is the name of the domain we are joining. </para>
-
- <para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
- <parameter>encrypt passwords</parameter></ulink> set to <constant>yes
- </constant> in order for your users to authenticate to the NT PDC.</para>
-
- <para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
- <parameter>password server =</parameter></ulink> line in the [global]
- section to read: </para>
-
- <para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para>
-
- <para>These are the primary and backup domain controllers Samba
- will attempt to contact in order to authenticate users. Samba will
- try to contact each of these servers in order, so you may want to
- rearrange this list in order to spread out the authentication load
- among domain controllers.</para>
-
- <para>Alternatively, if you want smbd to automatically determine
- the list of Domain controllers to use for authentication, you may
- set this line to be :</para>
-
- <para><command>password server = *</command></para>
-
- <para>This method, which was introduced in Samba 2.0.6,
- allows Samba to use exactly the same mechanism that NT does. This
- method either broadcasts or uses a WINS database in order to
- find domain controllers to authenticate against.</para>
-
- <para>Finally, restart your Samba daemons and get ready for
- clients to begin using domain security!</para>
-</sect1>
-
-<sect1>
- <title>Why is this better than security = server?</title>
-
- <para>Currently, domain security in Samba doesn't free you from
- having to create local Unix users to represent the users attaching
- to your server. This means that if domain user <constant>DOM\fred
- </constant> attaches to your domain security Samba server, there needs
- to be a local Unix user fred to represent that user in the Unix
- filesystem. This is very similar to the older Samba security mode
- <ulink url="smb.conf.5.html#SECURITYEQUALSERVER">security = server</ulink>,
- where Samba would pass through the authentication request to a Windows
- NT server in the same way as a Windows 95 or Windows 98 server would.
- </para>
-
- <para>The advantage to domain-level security is that the
- authentication in domain-level security is passed down the authenticated
- RPC channel in exactly the same way that an NT server would do it. This
- means Samba servers now participate in domain trust relationships in
- exactly the same way NT servers do (i.e., you can add Samba servers into
- a resource domain and have the authentication passed on from a resource
- domain PDC to an account domain PDC.</para>
-
- <para>In addition, with <command>security = server</command> every Samba
- daemon on a server has to keep a connection open to the
- authenticating server for as long as that daemon lasts. This can drain
- the connection resources on a Microsoft NT server and cause it to run
- out of available connections. With <command>security = domain</command>,
- however, the Samba daemons connect to the PDC/BDC only for as long
- as is necessary to authenticate the user, and then drop the connection,
- thus conserving PDC connection resources.</para>
-
- <para>And finally, acting in the same manner as an NT server
- authenticating to a PDC means that as part of the authentication
- reply, the Samba server gets the user identification information such
- as the user SID, the list of NT groups the user belongs to, etc. All
- this information will allow Samba to be extended in the future into
- a mode the developers currently call appliance mode. In this mode,
- no local Unix users will be necessary, and Samba will generate Unix
- uids and gids from the information passed back from the PDC when a
- user is authenticated, making a Samba server truly plug and play
- in an NT domain environment. Watch for this code soon.</para>
-
- <para><emphasis>NOTE:</emphasis> Much of the text of this document
- was first published in the Web magazine <ulink url="http://www.linuxworld.com">
- LinuxWorld</ulink> as the article <ulink
- url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing
- the NIS/NT Samba</ulink>.</para>
-
-</sect1>
-</article>
diff --git a/docs/docbook/howto/NT_Security.sgml b/docs/docbook/howto/NT_Security.sgml
deleted file mode 100644
index 62550bfaa6..0000000000
--- a/docs/docbook/howto/NT_Security.sgml
+++ /dev/null
@@ -1,342 +0,0 @@
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-
-<article>
-
-
-<sect1>
- <title>Viewing and changing UNIX permissions using the NT
- security dialogs</title>
-
-
- <para>New in the Samba 2.0.4 release is the ability for Windows
- NT clients to use their native security settings dialog box to
- view and modify the underlying UNIX permissions.</para>
-
- <para>Note that this ability is careful not to compromise
- the security of the UNIX host Samba is running on, and
- still obeys all the file permission rules that a Samba
- administrator can set.</para>
-
- <para>In Samba 2.0.4 and above the default value of the
- parameter <ulink url="smb.conf.5.html#NTACLSUPPOR"><parameter>
- nt acl support</parameter></ulink> has been changed from
- <constant>false</constant> to <constant>true</constant>, so
- manipulation of permissions is turned on by default.</para>
-</sect1>
-
-<sect1>
- <title>How to view file security on a Samba share</title>
-
- <para>From an NT 4.0 client, single-click with the right
- mouse button on any file or directory in a Samba mounted
- drive letter or UNC path. When the menu pops-up, click
- on the <emphasis>Properties</emphasis> entry at the bottom of
- the menu. This brings up the normal file properties dialog
- box, but with Samba 2.0.4 this will have a new tab along the top
- marked <emphasis>Security</emphasis>. Click on this tab and you
- will see three buttons, <emphasis>Permissions</emphasis>,
- <emphasis>Auditing</emphasis>, and <emphasis>Ownership</emphasis>.
- The <emphasis>Auditing</emphasis> button will cause either
- an error message <errorname>A requested privilege is not held
- by the client</errorname> to appear if the user is not the
- NT Administrator, or a dialog which is intended to allow an
- Administrator to add auditing requirements to a file if the
- user is logged on as the NT Administrator. This dialog is
- non-functional with a Samba share at this time, as the only
- useful button, the <command>Add</command> button will not currently
- allow a list of users to be seen.</para>
-
-</sect1>
-<sect1>
- <title>Viewing file ownership</title>
-
- <para>Clicking on the <command>"Ownership"</command> button
- brings up a dialog box telling you who owns the given file. The
- owner name will be of the form :</para>
-
- <para><command>"SERVER\user (Long name)"</command></para>
-
- <para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of
- the Samba server, <replaceable>user</replaceable> is the user name of
- the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
- is the discriptive string identifying the user (normally found in the
- GECOS field of the UNIX password database). Click on the <command>Close
- </command> button to remove this dialog.</para>
-
- <para>If the parameter <parameter>nt acl support</parameter>
- is set to <constant>false</constant> then the file owner will
- be shown as the NT user <command>"Everyone"</command>.</para>
-
- <para>The <command>Take Ownership</command> button will not allow
- you to change the ownership of this file to yourself (clicking on
- it will display a dialog box complaining that the user you are
- currently logged onto the NT client cannot be found). The reason
- for this is that changing the ownership of a file is a privilaged
- operation in UNIX, available only to the <emphasis>root</emphasis>
- user. As clicking on this button causes NT to attempt to change
- the ownership of a file to the current user logged into the NT
- client this will not work with Samba at this time.</para>
-
- <para>There is an NT chown command that will work with Samba
- and allow a user with Administrator privillage connected
- to a Samba 2.0.4 server as root to change the ownership of
- files on both a local NTFS filesystem or remote mounted NTFS
- or Samba drive. This is available as part of the <emphasis>Seclib
- </emphasis> NT security library written by Jeremy Allison of
- the Samba Team, available from the main Samba ftp site.</para>
-
-</sect1>
-
-<sect1>
- <title>Viewing file or directory permissions</title>
-
- <para>The third button is the <command>"Permissions"</command>
- button. Clicking on this brings up a dialog box that shows both
- the permissions and the UNIX owner of the file or directory.
- The owner is displayed in the form :</para>
-
- <para><command>"SERVER\user (Long name)"</command></para>
-
- <para>Where <replaceable>SERVER</replaceable> is the NetBIOS name of
- the Samba server, <replaceable>user</replaceable> is the user name of
- the UNIX user who owns the file, and <replaceable>(Long name)</replaceable>
- is the discriptive string identifying the user (normally found in the
- GECOS field of the UNIX password database).</para>
-
- <para>If the parameter <parameter>nt acl support</parameter>
- is set to <constant>false</constant> then the file owner will
- be shown as the NT user <command>"Everyone"</command> and the
- permissions will be shown as NT "Full Control".</para>
-
-
- <para>The permissions field is displayed differently for files
- and directories, so I'll describe the way file permissions
- are displayed first.</para>
-
- <sect2>
- <title>File Permissions</title>
-
- <para>The standard UNIX user/group/world triple and
- the correspinding "read", "write", "execute" permissions
- triples are mapped by Samba into a three element NT ACL
- with the 'r', 'w', and 'x' bits mapped into the corresponding
- NT permissions. The UNIX world permissions are mapped into
- the global NT group <command>Everyone</command>, followed
- by the list of permissions allowed for UNIX world. The UNIX
- owner and group permissions are displayed as an NT
- <command>user</command> icon and an NT <command>local
- group</command> icon respectively followed by the list
- of permissions allowed for the UNIX user and group.</para>
-
- <para>As many UNIX permission sets don't map into common
- NT names such as <command>"read"</command>, <command>
- "change"</command> or <command>"full control"</command> then
- usually the permissions will be prefixed by the words <command>
- "Special Access"</command> in the NT display list.</para>
-
- <para>But what happens if the file has no permissions allowed
- for a particular UNIX user group or world component ? In order
- to allow "no permissions" to be seen and modified then Samba
- overloads the NT <command>"Take Ownership"</command> ACL attribute
- (which has no meaning in UNIX) and reports a component with
- no permissions as having the NT <command>"O"</command> bit set.
- This was chosen of course to make it look like a zero, meaning
- zero permissions. More details on the decision behind this will
- be given below.</para>
- </sect2>
-
- <sect2>
- <title>Directory Permissions</title>
-
- <para>Directories on an NT NTFS file system have two
- different sets of permissions. The first set of permissions
- is the ACL set on the directory itself, this is usually displayed
- in the first set of parentheses in the normal <command>"RW"</command>
- NT style. This first set of permissions is created by Samba in
- exactly the same way as normal file permissions are, described
- above, and is displayed in the same way.</para>
-
- <para>The second set of directory permissions has no real meaning
- in the UNIX permissions world and represents the <command>
- "inherited"</command> permissions that any file created within
- this directory would inherit.</para>
-
- <para>Samba synthesises these inherited permissions for NT by
- returning as an NT ACL the UNIX permission mode that a new file
- created by Samba on this share would receive.</para>
- </sect2>
-</sect1>
-
-<sect1>
- <title>Modifying file or directory permissions</title>
-
- <para>Modifying file and directory permissions is as simple
- as changing the displayed permissions in the dialog box, and
- clicking the <command>OK</command> button. However, there are
- limitations that a user needs to be aware of, and also interactions
- with the standard Samba permission masks and mapping of DOS
- attributes that need to also be taken into account.</para>
-
- <para>If the parameter <parameter>nt acl support</parameter>
- is set to <constant>false</constant> then any attempt to set
- security permissions will fail with an <command>"Access Denied"
- </command> message.</para>
-
- <para>The first thing to note is that the <command>"Add"</command>
- button will not return a list of users in Samba 2.0.4 (it will give
- an error message of <command>"The remote proceedure call failed
- and did not execute"</command>). This means that you can only
- manipulate the current user/group/world permissions listed in
- the dialog box. This actually works quite well as these are the
- only permissions that UNIX actually has.</para>
-
- <para>If a permission triple (either user, group, or world)
- is removed from the list of permissions in the NT dialog box,
- then when the <command>"OK"</command> button is pressed it will
- be applied as "no permissions" on the UNIX side. If you then
- view the permissions again the "no permissions" entry will appear
- as the NT <command>"O"</command> flag, as described above. This
- allows you to add permissions back to a file or directory once
- you have removed them from a triple component.</para>
-
- <para>As UNIX supports only the "r", "w" and "x" bits of
- an NT ACL then if other NT security attributes such as "Delete
- access" are selected then they will be ignored when applied on
- the Samba server.</para>
-
- <para>When setting permissions on a directory the second
- set of permissions (in the second set of parentheses) is
- by default applied to all files within that directory. If this
- is not what you want you must uncheck the <command>"Replace
- permissions on existing files"</command> checkbox in the NT
- dialog before clicking <command>"OK"</command>.</para>
-
- <para>If you wish to remove all permissions from a
- user/group/world component then you may either highlight the
- component and click the <command>"Remove"</command> button,
- or set the component to only have the special <command>"Take
- Ownership"</command> permission (dsplayed as <command>"O"
- </command>) highlighted.</para>
-</sect1>
-
-<sect1>
- <title>Interaction with the standard Samba create mask
- parameters</title>
-
- <para>Note that with Samba 2.0.5 there are four new parameters
- to control this interaction. These are :</para>
-
- <para><parameter>security mask</parameter></para>
- <para><parameter>force security mode</parameter></para>
- <para><parameter>directory security mask</parameter></para>
- <para><parameter>force directory security mode</parameter></para>
-
- <para>Once a user clicks <command>"OK"</command> to apply the
- permissions Samba maps the given permissions into a user/group/world
- r/w/x triple set, and then will check the changed permissions for a
- file against the bits set in the <ulink url="smb.conf.5.html#SECURITYMASK">
- <parameter>security mask</parameter></ulink> parameter. Any bits that
- were changed that are not set to '1' in this parameter are left alone
- in the file permissions.</para>
-
- <para>Essentially, zero bits in the <parameter>security mask</parameter>
- mask may be treated as a set of bits the user is <emphasis>not</emphasis>
- allowed to change, and one bits are those the user is allowed to change.
- </para>
-
- <para>If not set explicitly this parameter is set to the same value as
- the <ulink url="smb.conf.5.html#CREATEMASK"><parameter>create mask
- </parameter></ulink> parameter to provide compatibility with Samba 2.0.4
- where this permission change facility was introduced. To allow a user to
- modify all the user/group/world permissions on a file, set this parameter
- to 0777.</para>
-
- <para>Next Samba checks the changed permissions for a file against
- the bits set in the <ulink url="smb.conf.5.html#FORCESECURITYMODE">
- <parameter>force security mode</parameter></ulink> parameter. Any bits
- that were changed that correspond to bits set to '1' in this parameter
- are forced to be set.</para>
-
- <para>Essentially, bits set in the <parameter>force security mode
- </parameter> parameter may be treated as a set of bits that, when
- modifying security on a file, the user has always set to be 'on'.</para>
-
- <para>If not set explicitly this parameter is set to the same value
- as the <ulink url="smb.conf.5.html#FORCECREATEMODE"><parameter>force
- create mode</parameter></ulink> parameter to provide compatibility
- with Samba 2.0.4 where the permission change facility was introduced.
- To allow a user to modify all the user/group/world permissions on a file,
- with no restrictions set this parameter to 000.</para>
-
- <para>The <parameter>security mask</parameter> and <parameter>force
- security mode</parameter> parameters are applied to the change
- request in that order.</para>
-
- <para>For a directory Samba will perform the same operations as
- described above for a file except using the parameter <parameter>
- directory security mask</parameter> instead of <parameter>security
- mask</parameter>, and <parameter>force directory security mode
- </parameter> parameter instead of <parameter>force security mode
- </parameter>.</para>
-
- <para>The <parameter>directory security mask</parameter> parameter
- by default is set to the same value as the <parameter>directory mask
- </parameter> parameter and the <parameter>force directory security
- mode</parameter> parameter by default is set to the same value as
- the <parameter>force directory mode</parameter> parameter to provide
- compatibility with Samba 2.0.4 where the permission change facility
- was introduced.</para>
-
- <para>In this way Samba enforces the permission restrictions that
- an administrator can set on a Samba share, whilst still allowing users
- to modify the permission bits within that restriction.</para>
-
- <para>If you want to set up a share that allows users full control
- in modifying the permission bits on their files and directories and
- doesn't force any particular bits to be set 'on', then set the following
- parameters in the <ulink url="smb.conf.5.html"><filename>smb.conf(5)
- </filename></ulink> file in that share specific section :</para>
-
- <para><parameter>security mask = 0777</parameter></para>
- <para><parameter>force security mode = 0</parameter></para>
- <para><parameter>directory security mask = 0777</parameter></para>
- <para><parameter>force directory security mode = 0</parameter></para>
-
- <para>As described, in Samba 2.0.4 the parameters :</para>
-
- <para><parameter>create mask</parameter></para>
- <para><parameter>force create mode</parameter></para>
- <para><parameter>directory mask</parameter></para>
- <para><parameter>force directory mode</parameter></para>
-
- <para>were used instead of the parameters discussed here.</para>
-</sect1>
-
-<sect1>
- <title>Interaction with the standard Samba file attribute
- mapping</title>
-
- <para>Samba maps some of the DOS attribute bits (such as "read
- only") into the UNIX permissions of a file. This means there can
- be a conflict between the permission bits set via the security
- dialog and the permission bits set by the file attribute mapping.
- </para>
-
- <para>One way this can show up is if a file has no UNIX read access
- for the owner it will show up as "read only" in the standard
- file attributes tabbed dialog. Unfortunately this dialog is
- the same one that contains the security info in another tab.</para>
-
- <para>What this can mean is that if the owner changes the permissions
- to allow themselves read access using the security dialog, clicks
- <command>"OK"</command> to get back to the standard attributes tab
- dialog, and then clicks <command>"OK"</command> on that dialog, then
- NT will set the file permissions back to read-only (as that is what
- the attributes still say in the dialog). This means that after setting
- permissions and clicking <command>"OK"</command> to get back to the
- attributes dialog you should always hit <command>"Cancel"</command>
- rather than <command>"OK"</command> to ensure that your changes
- are not overridden.</para>
-</sect1>
-
-</article>
diff --git a/docs/docbook/howto/samba-pdc-howto.sgml b/docs/docbook/howto/samba-pdc-howto.sgml
deleted file mode 100644
index 4b8380dd9e..0000000000
--- a/docs/docbook/howto/samba-pdc-howto.sgml
+++ /dev/null
@@ -1,778 +0,0 @@
-
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<book id="samba-pdc-howto">
-
-<title>The Samba 2.2 PDC HowTo </title>
-
-<!-- ========================================================
-
- To produce html from this file
-
- jade -E10 -t sgml -d html.dsl ntdom.sgml
-
- This assumes that html.dsl is present in the current dir, it includes
- a couple of defines and then refers to the DSSSL html stylesheet.
-
- =========================================================== -->
-
-
-<bookinfo>
- <author><firstname>David</><surname>Bannon</>
- <affiliation><orgname>La Trobe University</orgname></affiliation>
- </author>
- <pubdate>November 2000</pubdate>
-</bookinfo>
-
-<dedication><title></title>
-
- <para>Comments, corrections and additions to <email>dbannon@samba.org</email></para>
-
- <para>
- This document explains how to setup Samba as a Primary Domain Controller and
- applies to version 2.2.0.
- Before
- using these functions make sure you understand what the controller can and cannot do.
- Please read the sections below in the Introduction.
- As 2.2.0 is incrementally updated
- this document will change or become out of date very quickly, make sure you are
- reading the most current version.
- </para>
-
- <para>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1,
- Samba 2.0.7, TNG nor HEAD branch.</para>
-
- <para>It does apply to the current (post November 27th) cvs.</para>
-
- <para>
- Also available is an updated version of Jerry Carter's NTDom <ulink url="samba-pdc-faq.html">
- FAQ</> that will answer lots of
- the special 'tuning' questions that are not covered here. Over the next couple of weeks
- some of the items here will be moved to the FAQ.
- </para>
-
-
-</dedication>
-
-<toc> </toc>
-
-<!-- ================ I N T R O D U C T I O N ==================== -->
-
-<chapter><title>Introduction</title>
-
-<para>
-This document will show you one way of making Version 2.2.0
-of Samba perform some of the tasks of a
-NT Primary Domain Controller. The facilities described are built into Samba as a result of
-development work done over a number of years by a large number of people. These facilities
-are only just beginning to be officially supported and although they do appear to work reliably,
-if you use them then you take the risks upon your self. This document does not cover the
-developmental versions of Samba, particularly
-<ulink url="http://www.samba-tng.org/"><citetitle>Samba-TNG</citetitle></ulink>
-
-
-</para>
-
-
-<para>Note that <ulink url="http://bioserve.latrobe.edu.au/samba">Samba 2.0.7</>
- supports significently less of the NT Domain facilities compared with 2.2.0
- </para>
-
-<para>
- This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by
- John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide
- more detail and an insight to the development
- cycle and should be considered 'further reading'.
-
-</para>
-
-
-<sect1><title>What can we do ?</title>
-<itemizedlist>
- <listitem><para>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central
- password database. WRT W2K, please see the section about adding machine
- accounts and the Intro in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></listitem>
- <listitem><para>Grant Administrator privileges to particular domain users on an
- NT or W2K workstation.</para></listitem>
- <listitem><para>Apply policies from a domain policy file to NT and W2K (?)
- workstation.</para></listitem>
- <listitem><para>Run the appropriate logon script when a user logs on to the domain
- .</para></listitem>
- <listitem><para>Maintain a user's local profile on the server.</para></listitem>
- <listitem><para>Validate a user using another system via smb (such as smb_pam) and
- soon winbind (?).</para></listitem>
-</itemizedlist>
-</sect1>
-
-
-<sect1><title>What can't we do ?</title>
-<itemizedlist>
- <listitem><para> Become or work with a Backup Domain Controller (a BDC).</para></listitem>
- <listitem><para> Participate in any sort of trust relationship (with either Samba or NT
- Servers).</para></listitem>
- <listitem><para> Offer a list of domain users to User Manager for Domains
- on the Security Tab etc).</para></listitem>
- <listitem><para>Be a W2K type of Domain Controller. Samba PDC will behave like
- an NT PDC, W2K workstations connect in legacy mode.</para></listitem>
-</itemizedlist>
-</sect1>
-
-</chapter>
-
-
-<!-- ================== I N S T A L L I N G ===================== -->
-
-<chapter><title>Installing</title>
-
- <para>Installing consists of the usual download, configure, make and make
- install process. These steps are well documented elsewhere.
- The <ulink url="samba-pdc-faq.html">FAQ</> discusses getting pre-release versions via CVS.
- Then you need to configure the server.</para>
-
-<sect1><title>Start Up Script</title>
- <para>Skip this section if you have a working Samba already.
- Everyone has their own favourite startup script. Here is mine, offered with no warrantee
- at all !</para>
-
-<programlisting>
-
- #!/bin/sh
- # Script to control Samba server, David Bannon, 14-6-96
- #
- #
- PATH=/bin:/usr/sbin:/usr/bin
- export PATH
- case "$1" in
- 'start')
- if [ -f /usr/local/samba/bin/smbd ]
- then
- /usr/local/samba/bin/smbd -D
- /usr/local/samba/bin/nmbd -D
- echo "Starting Samba Server"
- fi
- ;;
- 'conf')
- if [ -f /usr/local/samba/lib/smb.conf ]
- then
- vi /usr/local/samba/lib/smb.conf
- fi
- ;;
- 'pw')
- if [ -f /usr/local/samba/private/smbpasswd ]
- then
- vi /usr/local/samba/private/smbpasswd
- fi
- ;;
- 'who')
- /usr/local/samba/bin/smbstatus -b
- ;;
- 'restart')
- psline=`/bin/ps x | grep smbd | grep -v grep`
-
- if [ "$psline" != "" ]
- then
- while [ "$psline" != "" ]
- do
- psline=`/bin/ps x | fgrep smbd | grep -v grep`
- if [ "$psline" ]
- then
- set -- $psline
- pid=$1
- /bin/kill -HUP $pid
- echo "Stopped $pid line = $psline"
- sleep 2
- fi
- done
- fi
- echo "Stopped Samba servers"
- ;;
- 'stop')
- psline=`/bin/ps x | grep smbd | grep -v grep`
-
- if [ "$psline" != "" ]
- then
- while [ "$psline" != "" ]
- do
- psline=`/bin/ps x | fgrep smbd | grep -v grep`
- if [ "$psline" ]
- then
- set -- $psline
- pid=$1
- /bin/kill -9 $pid
- echo "Stopped $pid line = $psline"
- sleep 2
- fi
- done
- fi
- echo "Stopped Samba servers"
- psline=`/bin/ps x | grep nmbd | grep -v grep`
- if [ "$psline" ]
- then
- set -- $psline
- pid=$1
- /bin/kill -9 $pid
- echo "Stopped Name Server "
- fi
- echo "Stopped Name Servers"
- ;;
- *)
- echo "usage: samba {start | restart |stop | conf | pw | who}"
- ;;
- esac
-
-</programlisting>
-
-<para> Use this script, or some other one, you will need to ensure its used while the machine
- is booting. (This typically involves <filename>/etc/rc.d</filename>, we'll be
- assuming that there is a script called
- samba in <filename>/etc/rc.d/init.d</filename> further down in this document.)
-</para>
-</sect1>
-
-<sect1><title>Config File</title>
-
-<sect2><title id=configfile>A sample conf file</title>
- <para>Here is a fairly minimal config file to do PDC. It will also make the server
- become the browse master for the
- specified domain (not necessary but usually desirable). You will need to change only
- two parameters to make this
- file work, <filename>wins server</filename> and <filename>workgroup</filename>, plus
- you will need to put your own name (not mine!) in the <filename>domain admin users</> fields.
- Some of the parameters are discussed further down this document.</para>
-
- <para>Assuming you have used the default install directories, this file should appear as
- <filename>/usr/local/samba/lib/smb.conf</filename>. It should not be
- writable by anyone except root.</para>
-
- <note><para>The 'add user script' parameter is a work-around, watch for changes !</></>
-
- <programlisting>
-
- [global]
- security = user
- status = yes
- workgroup = { Your domain name here }
- wins server = { ip of a wins server if you have one }
- encrypt passwords = yes
- domain logons =yes
- logon script = scripts\%U.bat
- domain admin group = @adm
- add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
- guest account = ftp
- share modes=no
- os level=65
- [homes]
- guest ok = no
- read only = no
- create mask = 0700
- directory mask = 0700
- oplocks = false
- locking = no
- [netlogon]
- path = /usr/local/samba/netlogon
- writeable = no
- guest ok = no
-
-</programlisting>
-
-</sect2>
-
-<sect2><title>PDC Config Parameters</title>
-
-
-<variablelist><title>There are a huge range of parameters that may appear in a smb.conf file. Some
- that may be of interest to a PDC are :</title>
-
-<varlistentry><term>add user script</term>
- <listitem><para>This parameter specifies a script (or program) that will be run
- to add a user to the system. Here it is being used to add a machine, not a user.
- This is probably not very nice and may change. But it does work !</para>
-
- <para>For this example, I have a group called 'machines', entries can be added to
- <filename>/etc/passwd</> using a programme called <filename>/usr/adduser</> and
- the other parameters are chosen as suitable for a machine account. Works for
- RH Linux, your system may require changes.</para>
- </listitem>
-</varlistentry>
-
-
-<varlistentry><term>domain admin group = @adm</term>
- <listitem><para>This parameter specifies a unix group whose members will be granted
- admin privileges on a NT workstation when
- logged onto that workstation. See the section called <link linkend=domainadmin>
- Domain Admin</> Accounts.</para>
- </listitem>
-</varlistentry>
-
-<varlistentry><term>domain admin users = user1 users2</term>
- <listitem><para>It appears that this parameter does not funtion correctly at present.
- Use the 'domain admin group' instread. This parameter specifies a unix user who will
- be granted admin privileges
- on a NT workstation when
- logged onto that workstation. See the section called <link linkend=domainadmin>
- Domain Admin</> Accounts.</para>
- </listitem>
-</varlistentry>
-
-<varlistentry><term>encrypt passwords = yes</term>
- <listitem><para>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that
- turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you
- should) you must use encrypted passwords.</para>
- </listitem>
-</varlistentry>
-
-<varlistentry><term>logon script = scripts\%U.bat</term>
- <listitem><para>This will make samba look for a logon script named after the user
- (eg joeblow.bat).
- See the section further on called <link linkend=logonscript>Logon Scripts</></para>
- <note><para>Note that the slash is like this '\', not like this '/'.
- NT is happy with both, win95 is not !</para></note>
- </listitem>
-</varlistentry>
-
-<varlistentry><term>logon path</term>
- <listitem><para>Lets you specify where you would like users profiles kept. The default, that is in the users
- home directory, does encourage a bit of fiddling.</para>
- </listitem>
-</varlistentry>
-
-
-</variablelist>
-
-
-</sect2>
-</sect1>
-
-<sect1><title>Special directories</title>
- <para>You need to create a couple of special files and directories. Its nice
- to have some of the binaries handy too, so I create links to them. Assuming
- you have used the default samba location and have not
- changed the locations mentioned in the sample config file, do the following :</para>
-
- <programlisting>
-
- mkdir /usr/local/samba/netlogon
- mkdir /usr/local/samba/netlogon/scripts
- mkdir /usr/local/samba/private
- touch /usr/local/samba/private/smbpasswd
- chmod go-rwx /usr/local/samba/private/smbpasswd
- cd /usr/local/sbin
- ln -s /usr/local/samba/bin/smbpasswd
- ln -s /usr/local/samba/bin/smbclient
- ln -s /etc/rc.d/init.d/samba
-</programlisting>
-
- <para>Make sure permissions are appropriate !</para>
-
- <para>OK, if you have used the scripts above and have a path to where the links are do this to start up
- the Samba Server :</para>
-
- <para><command>samba start</command></para>
-
- <para>Instead, you might like to reboot the machine to make sure that you
- got the init stuff right. Any way, a quick look in the logs
- <filename>/usr/local/samba/var/log.smbd</filename> and <filename>
- /usr/local/samba/var/log/nmbd</filename>
- will give you an idea of what's happening. Assuming all is well, lets create
- some accounts...</para>
-</sect1>
-</chapter>
-
- <!-- ================== U S E R and M A C H I N E A C C O U N T S ================ -->
-
-<chapter><title>User and Machine Accounts</title>
-<sect1><title>Logon Accounts</title>
-
- <para><emphasis role=bold>This section is very nearly out of date already !</emphasis> It
- appears that while you are reading it, Jean Francois Micou is making it
- redundant ! Jean Francois is adding facilities to add users
- (via User Manager) and machines (when joining the domain) and it looks like these facilities will
- make it into the official release of 2.2.</para>
-
-
- <para>Every user and NTws (and other samba servers) that will be on the domain
- must have its own passwd entry in both <filename>/etc/passwd</filename> and
- <filename>/usr/local/samba/private/smbpasswd</filename> .
- The <filename>/etc/passwd</filename> entry is really
- only to reserve a user ID. The NT encrypted password is stored in
- <filename>/usr/local/samba/private/smbpasswd</filename>.
- (Note that win95/98 machines don't need an account as they don't do
- any security aware things.)</para>
-
- <para>Samba 2.2 will now create these entries for us. Carefull set up is required
- and there may well be some changes to this system before its released.
- </para>
-</sect1>
-
-<sect1 id=machineaccount><title>Machine Accounts</title>
-
- <note><para>There is an entry in the ntdom <ulink url="samba-pdc-faq.html">FAQ</> explaining how to create
- machine entries manually.</para></note>
-
-
-<variablelist><title><emphasis>At present</> to have the machine accounts created when a machine joins
- the domain a number of conditions must be met :</title>
-
-<varlistentry><term>Only root can do it !</term>
- <listitem><para>There must be an entry in <filename>/usr/local/samba/private/smbpasswd</filename>
- for root and root must be mentioned in <filename>domain admins</filename>. This may
- be fixed some time in the future so any 'domain admin' can do it. If you don't
- like having root as a windows logon account, make the machine
- entries manually (both of them).</para>
- </listitem>
-</varlistentry>
-
-<varlistentry><term>Use the <filename>add user script</></term>
- <listitem><para>Again, this looks a bit like a 'work around'. Use a suitable
- command line to add a machine account <link linkend=configfile>see above</link>,
- and pass it %m$, that is %m to get machine name plus the '$'. Now, this
- means you cannot use the <filename>add user script</> to really add users .... </para>
- </listitem>
-</varlistentry>
-
-<varlistentry><term>Only for W2K</term>
- <listitem><para>This automatic creation of machine accounts does not work for
- NT4ws at present. Watch this space.</para></listitem></varlistentry>
-</variablelist>
-
-</sect1>
-
-<sect1><title>Joining the Domain</title>
-
- <para>You must have either added the machine account entries manually (NT4 ws)
- or set up the automatic system (W2K), <link linkend=machineaccount>see Machine Accounts</link>
- before proceeding.</para>
-
-<variablelist>
-<varlistentry><term><command>Windows NT</></term><listitem>
-<itemizedlist>
- <listitem><para> (<emphasis>this step may not be necessary some time in the near future</>).
- On the samba server that is the PDC, add a machine account manually
- as per the instructions in the <ulink url="samba-pdc-faq.html">FAQ</>
- Then give the command <command>smbpasswd -a -m {machine}</> substituting in the
- client machine name.</para></listitem>
- <listitem><para> Logon to the NTws in question as a local admin, go to the
- <command>Control Panel, Network IdentificationTag</command>.</para></listitem>
- <listitem><para> Press the <command>Change</> button.</para></listitem>
- <listitem><para> Enter the Domain name (from the 'Workgroup' parameter, smb.conf)
- in the Domain Field.</para></listitem>
-<!-- <listitem><para> Now enter a user name
- and password for a Domain Admin <emphasis>(Who must be root
- until a pre-release bug is fixed)</emphasis> and press
- 'OK'.</para></listitem> -->
- <listitem><para> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'.
- Allow to reboot.</para></listitem>
-</itemizedlist>
-</listitem></varlistentry>
-
-<varlistentry><term><command>Windows 2000</></term><listitem>
-<itemizedlist>
- <listitem><para>Logon to the W2k machine as Administrator, go to the Control
- Panel and double click on <command>Network and Dialup Connections</>.
- </para></listitem>
- <listitem><para>Pull down the <command>Advanced</> menu and choose
- <command>Network Identification</>. Press <command>Properties
- </>. </para></listitem>
- <listitem><para>Choose <command>Domain</> and enter the domain name. Press 'OK'.</para></listitem>
- <listitem><para>Now enter a user name and password for a Domain Admin
- <emphasis>(Who must be root until a pre-release bug is fixed)</emphasis> and press
- 'OK'.</para></listitem>
- <listitem><para>Wait for the confirmation, reboot when prompted.</para></listitem>
-</itemizedlist>
- <para>To remove a W2K machine from the domain, follow the first two steps then
- choose <command>Workgroup</>, enter a work group name (or just WORKGROUP) and follow
- the prompts.</para>
-</listitem></varlistentry>
-
-
-</variablelist>
-
-</sect1>
-
-<sect1><title id=useraccount>User Accounts</title>
-
- <para><emphasis>Again, doing it manually (cos' the auto way is not working pre-release).
- </emphasis>
- In our simple case every domain user should have an account on the PDC. The
- account may have a null shell if they are not allowed to log on to the unix
- prompt. Again they need an entry in both the <filename>/etc/passwd</filename> and
- <filename>/usr/local/samba/private/smbpasswd</filename>. Again a password is
- not necessary in <filename>/etc/passwd</filename> but the location
- of the home directory is honoured.
- To make an entry for a user called Joe Blow you would typically do the following :</para>
-
- <para><command>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</command></para>
-
- <para><command>smbpasswd -a joeblow</command></para>
-
- <para>And you will prompted to enter a password for Joe. Ideally he will be
- hovering over your shoulder and will, when asked, type in a password of
- his choice. There are a number of scripts and systems to ease the migration of users
- from somewhere to samba. Better start looking !</para>
-</sect1>
-
-<sect1><title id=domainadmin>Domain Admin Accounts</title>
-
- <para>Certain operations demand that the logged on user has Administrator
- privileges, typically installing software and
- doing maintenance tasks. It is very simple to appoint some users as Domain Admins,
- most likely yourself. Make
- sure you trust the appointee !</para>
-
- <para>Samba 2.2 recognizes particular users as being
- domain admins and tells the NTws when it thinks that it has got one logged on.
- In the smb.conf file we declare
- that the <filename>Domain Admin group = @adm</filename>.
- Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when
- logged onto the Domain. They will have full Administrator rights
- including the rights to change permissions on files and run the system
- utilities such as Disk Administrator. Add users to the group by editing <filename>
- /etc/group/</>. You do not need to use the 'adm' group, choose any one you like.</para>
-
- <para>Further, and this is very new, they will be allowed to create a
- new machine account when first connecting a new NT or W2K machine to
- the domain. <emphasis>However, at present, ie pre-release, only a Domain Admin who
- also happens to be root can do so. </emphasis></para>
-</sect1>
-</chapter>
-
-
-<!-- ======== P R O F I L E S P O L I C I E S and L O G O N S C R I P T S ======= -->
-
-<chapter><title>Profiles, Policies and Logon Scripts</title>
-
-<sect1><title>Profiles</title>
-
- <para>NT Profiles should work if you have followed the setup so far.
- A user's profile contains a whole lot of their personal settings,
- the contents of their desktop, personal 'My Documents' and so on.
- When they log off, all of the profile is copied to their directory
- on the server and is downloaded again when they logon on again, possibly
- on another client machine.</para>
-
- <para>Sounds great but can be a bit of a bug bear sometimes. Users let
- their profiles get too big and then complain about how long it takes
- to log on each time. This sample setup only supports NT profiles,
- rumor has it that it is also possible to do the same on Win95, my
- users don't know and I'm not telling them.</para>
-
- <note><para>There is more info about Profiles (including for W95/98)
- in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></note>
-</sect1>
-
-<sect1><title>Policies</title>
-
- <para>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol
- file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws.
- Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or
- maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles
- on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor
- that comes with NTws.</para>
-
- <note><para>See the <ulink url="samba-pdc-faq.html">FAQ</> for pointers on how to get a suitable Policy Editor.</para></note>
-
- <para>The Policy Editor (and associated files) will create a
- <filename>ntconfig.pol</filename> file using the
- parameters Microsoft thought of and parameters you specify by making your own
- template file.</para>
-
- <para>In our example configuration here, Samba will expect to find
- the <filename>ntconfig.pol</filename> file in
- <filename>/usr/local/samba/netlogon</filename>. Needless to say (I hope !),
- it is vitally important that ordinary users don't have
- write permission to the Policy files.</para>
-</sect1>
-
-<sect1><title id=logonscript>Logon Scripts</title>
-
- <para>In the sample config file above there is a line
- <filename>logon script = scripts\%U.bat</filename></para>
-
- <note><para>Note that the slash is like this '\' not like this '/'.
- NT is happy with both, win95 is not !</para></note>
-
- <para>This allows you to run a dos batch file every time someone logs on. The batch
- file is located on the server, in the sample install mentioned here,
- its in <filename>/usr/local/samba/netlogon/scripts</filename> and
- is named after the user with <filename>.bat</filename> appended, eg Joe
- Blow's script is called <filename>/usr/local/samba/netlogon/scripts/joeblow.bat</filename>.</para>
-
- <note><para>There is a suggestion that user names longer than 8 characters may cause
- problems with some systems being unable to run logon scripts. This is confirmed in earlier
- versions when connecting using W95, comments about other combinations ??</para></note>
-
- <para>You could use a line like this <filename>logon script = default.bat</> and samba
- will supply <filename>/usr/local/samba/netlogon/default.bat</> for any client and every
- user. Maybe you could use %m and get a client machine dependant logon script.
- You get the idea...</para>
-
- <para>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client
- computer with the logon user's permissions. It must be a dos file with each line ending with
- the dos cr/lf not a nice clean newline. Generally,
- its best to create the initial file on a DOS system and copy it across.</para>
-
- <para>There is lots of very clever uses of the Samba replaceable variables such
- ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to
- give you control over which script runs when a particular person logs
- on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</para>
-
- <para>Again, it is vitally important that ordinary users don't have write
- permission to other peoples, or even probably their own, logon script files.</para>
-
- <para>A typical logon script is reproduced below. Note that it runs separate
- commands for win95 and NT, that's because NT has slightly different behaviour
- when using the <filename>net use ..</filename> command. Its useful for lots of
- other situations too. I don't know what syntax to use for win98, I don't use it
- here.</para>
-
-<programlisting>
-
- rem Default logon script, create links to this file.
-
- net time \\bioserve /set /yes
- @echo off
- if %OS%.==Windows_NT. goto WinNT
-
- :Win95
- net use k: \\trillion\bio_prog
- net use p: \\bcfile\homes
- goto end
- :WinNT
- net use k: \\trillion\bio_prog /persistent:no
- net use p: \\bcfile\homes /persistent:no
-
- :end
-
-</programlisting>
-</sect1>
-</chapter>
-
-<chapter><title>Passwords and Authentication</title>
-
- <para>So far our configuration assumes that ordinary users don't have unix logon access. A change
- to the <link linkend=useraccount><filename>adduser</></> line above would allow unix logon
- but it would be with passwords that may
- be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users
- that they need to change their passwords in two seperate places is not fun.
- Further, even if they cannot do a unix logon there are other processes that
- might require authentication. We have a nice securely encrypted password in
- <filename>/usr/local/samba/private/smbpasswd</filename>, why not use it ?</para>
-
-<sect1><title></>
-<sect2><title>Syncing Passwords</title>
-
- <para>Yes, its possible and seems the easiest way (initially anyway).
- The <ulink url="samba-pdc-faq.html">FAQ</> details how to
- do so in the sections <emphasis>What is password sync and should I use it ?</> and <emphasis>
- How do I get remote password (unix and SMB) changing working ?</></para>
-
-</sect2>
-
-<sect2><title>Using PAM</title>
- <para>Pam enabled systems have a much better solution available. The Samba
- PDC server will offer to authenticate domain users to other processes
- (either on this server or on the domain). With a suitable pam stack
- such as <ulink url="http://www.csn.ul.ie/~airlied/pam_smb/"> Pam_smb</ulink>
- you can get any pam aware application looking to the samba password and
- can leave the password field in <filename>/etc/shadow</filename>
- or <filename>/etc/passwd</filename> invalid.</para>
-</sect2>
-
-<sect2><title>Authenticating other Samba Servers</title>
- <para>In a domain that has a number of servers you only need one password database.
- The machines that don't have their own ask the PDC to check for them.
- This will work fine for a domain controlled by either a Samba or NT machine.</para>
-
- <para>To do so the Samba machine must be told to refer to the PDC and where the PDC is.
- See the section in the NTDom <ulink url="samba-pdc-faq.html">FAQ</> called <emphasis>How do I get my samba server to
- become a member ( not PDC ) of an NT domain?</></para>
-
-
-</sect2>
-</sect1>
-</chapter>
-
-
-<chapter><title>Background</title>
-
-<sect1><title></title>
-<sect2><title>History</title>
-
- <para>It might help you understand the limitations of the PDC in Samba if you
- read something of its history. Well, the history as I understand it anyway.</para>
-
- <para>For many years the Samba team have been developing Samba, some time ago
- a number of people, possibly lead by Luke Leighton started contributing NT
- PDC stuff. This was added to the 'head' stream (that would eventually
- become the next version) and later to a seperate stream (NTDom). They did so
- much that eventually this development stream was so mutated that it could not
- be merged back into the main stream and was abandoned towards the end of 1999.
- And that was very sad because many users, myself include had become heavily
- dependant on the NTController facilities it offered. Oh well...</para>
-
- <para>The NTDom team continued on with their new found knowledge however and
- built the TNG stream. Intended to be carefully controlled so that it can be
- merged back into the main stream and benefiting from what they learnt, it is
- a very different product to the origional NTDom product. However, for a
- number of reasons, the merge did not take place and now TNG is being developed
- at <ulink url="http://www.samba-tng.org">http://www.samba-tng.org</>.</para>
-
- <para>Now, the NTDom things that the main strean 2.0.x version does is based more
- on the old (initial version) abandoned code than on the TNG ideas. It appears
- that version 2.2.0 will also include an improved version of the 2.0.7 domain
- controller charactistics, not the TNG ways. The developers have indicated
- that 2.2.0 will be further developed incrementally and the ideas from TNG
- incorporated into it.</para>
-
- <para>One more little wriggle is worth mentioning. At one stage the NTDom
- stream was called Samba 2.1.0-prealpha and similar names. This is most
- unfortunate because at least one book published advises people who want to
- use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon
- be called 2.2.0 and NOT officially supporting NTDom Controlling functions,
- the potential for confusion is certainly there.</para>
-</sect2>
-
-<sect2><title>The Future</title>
-
- <para>There is a document on the Samba mirrors called <emphasis>'Development'
- </emphasis>. It offers the 'best guess' of what is planned for future releases
- of Samba.</para>
-
- <para>The future of Samba as a Primary Domain Controller appears rosie, however
- be aware that its the future, not the present. The developers are strongly committed
- to building a full featured PDC into Samba but it will take time. If this
- version does not meet your requirements then you should consider (in no particular
- order) :</para>
-
- <itemizedlist>
- <listitem><para> Wait. No, we don't know how long. Repeated asking won't help.</para></listitem>
- <listitem><para>Investigate the development versions, TNG perhaps or HEAD where new code is being added
- all the time. Realise that development code is often unstable, poorly documented and subject to change.
- You will need to use cvs to download development versions.</para></listitem>
- <listitem><para>Join one of the Samba mailing lists so that you can find out
- what is happening on the 'bleeding edge'.</para></listitem>
- </itemizedlist>
-</sect2>
-
-<sect2><title>Getting further help</title>
-
- <para>This document cannot possibly answer all your questions. Please understand that its very
- likely that someone has been confrounted by the same problem that you have. The
- <ulink url="samba-pdc-faq.html">FAQ</>
- discusses a number of possible paths to take to get further help :</para>
-
-
- <itemizedlist>
- <listitem><para>Documents on the Samba Sites.</para></listitem>
- <listitem><para>Other web sites.</para></listitem>
- <listitem><para>Mailing list.</para></listitem>
- </itemizedlist>
-
- <para>There is some discussion about guide lines for using the Mailing Lists on the
- accompanying <ulink url="samba-pdc-faq.html">FAQ</>,
- please read them before posting.</para>
-
-</sect2>
-</sect1>
-</chapter>
-
-</book>