summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.sgml')
-rw-r--r--docs/docbook/projdoc/DOMAIN_MEMBER.sgml133
1 files changed, 84 insertions, 49 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
index b178bfd2c2..8a30a5527d 100644
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@@ -25,29 +25,79 @@
</chapterinfo>
-<title>Samba as a NT4 or Win2k domain member</title>
+<title>Samba as a NT4 domain member</title>
<sect1>
- <title>Joining an NT Domain with Samba 3.0</title>
+ <title>Joining an NT Domain with Samba 2.2</title>
- <para>Assume you have a Samba 3.0 server with a NetBIOS name of
- <constant>SERV1</constant> and are joining an or Win2k NT domain called
+ <para>Assume you have a Samba 2.x server with a NetBIOS name of
+ <constant>SERV1</constant> and are joining an NT domain called
<constant>DOM</constant>, which has a PDC with a NetBIOS name
of <constant>DOMPDC</constant> and two backup domain controllers
with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
</constant>.</para>
- <para>Firstly, you must edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
+ <para>In order to join the domain, first stop all Samba daemons
+ and run the command:</para>
+
+ <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
+ -U<replaceable>Administrator%password</replaceable></userinput></para>
+
+ <para>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. The <replaceable>Administrator%password</replaceable> is
+ the login name and password for an account which has the necessary
+ privilege to add machines to the domain. If this is successful
+ you will see the message:</para>
+
+ <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
+ </para>
+
+ <para>in your terminal window. See the <ulink url="smbpasswd.8.html">
+ smbpasswd(8)</ulink> man page for more details.</para>
+
+ <para>There is existing development code to join a domain
+ without having to create the machine trust account on the PDC
+ beforehand. This code will hopefully be available soon
+ in release branches as well.</para>
+
+ <para>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</para>
+
+ <para><filename>/usr/local/samba/private</filename></para>
+
+ <para>In Samba 2.0.x, the filename looks like this:</para>
+
+ <para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.<replaceable>&lt;Samba
+ Server Name&gt;</replaceable>.mac</filename></para>
+
+ <para>The <filename>.mac</filename> suffix stands for machine account
+ password file. So in our example above, the file would be called:</para>
+
+ <para><filename>DOM.SERV1.mac</filename></para>
+
+ <para>In Samba 2.2, this file has been replaced with a TDB
+ (Trivial Database) file named <filename>secrets.tdb</filename>.
+ </para>
+
+
+ <para>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</para>
+
+ <para>Now, before restarting the Samba daemons you must
+ edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
</ulink> file to tell Samba it should now use domain security.</para>
<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
<parameter>security =</parameter></ulink> line in the [global] section
of your smb.conf to read:</para>
- <para><command>security = domain</command> or
- <command>security = ads</command> depending on if the PDC is
- NT4 or running Active Directory respectivly.</para>
+ <para><command>security = domain</command></para>
<para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
workgroup =</parameter></ulink> line in the [global] section to read: </para>
@@ -78,47 +128,11 @@
<para><command>password server = *</command></para>
- <para>This method, allows Samba to use exactly the same
- mechanism that NT does. This
+ <para>This method, which was introduced in Samba 2.0.6,
+ allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.</para>
- <para>In order to actually join the domain, you must run this
- command:</para>
-
- <para><prompt>root# </prompt><userinput>net join -S DOMPDC
- -U<replaceable>Administrator%password</replaceable></userinput></para>
-
- <para>as we are joining the domain DOM and the PDC for that domain
- (the only machine that has write access to the domain SAM database)
- is DOMPDC. The <replaceable>Administrator%password</replaceable> is
- the login name and password for an account which has the necessary
- privilege to add machines to the domain. If this is successful
- you will see the message:</para>
-
- <para><computeroutput>Joined domain DOM.</computeroutput>
- or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput>
- </para>
-
- <para>in your terminal window. See the <ulink url="net.8.html">
- net(8)</ulink> man page for more details.</para>
-
- <para>This process joins the server to thedomain
- without having to create the machine trust account on the PDC
- beforehand.</para>
-
- <para>This command goes through the machine account password
- change protocol, then writes the new (random) machine account
- password for this Samba server into a file in the same directory
- in which an smbpasswd file would be stored - normally :</para>
-
- <para><filename>/usr/local/samba/private/secrets.tdb</filename></para>
-
- <para>This file is created and owned by root and is not
- readable by any other user. It is the key to the domain-level
- security for your system, and should be treated as carefully
- as a shadow password file.</para>
-
<para>Finally, restart your Samba daemons and get ready for
clients to begin using domain security!</para>
</sect1>
@@ -130,8 +144,23 @@
<para>
Many people have asked regarding the state of Samba's ability to participate in
a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode. The steps above apply
-to both NT4 and Windows 2000.
+2000 domain operating in mixed or native mode.
+</para>
+
+<para>
+There is much confusion between the circumstances that require a "mixed" mode
+Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
+Win2k domain controller is only needed if Windows NT BDCs must exist in the same
+domain. By default, a Win2k DC in "native" mode will still support
+NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
+NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.
+</para>
+
+<para>
+The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
+for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
+the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
+Computers" MMC (Microsoft Management Console) plugin.
</para>
</sect1>
@@ -176,7 +205,13 @@ to both NT4 and Windows 2000.
<para>And finally, acting in the same manner as an NT server
authenticating to a PDC means that as part of the authentication
reply, the Samba server gets the user identification information such
- as the user SID, the list of NT groups the user belongs to, etc. </para>
+ as the user SID, the list of NT groups the user belongs to, etc. All
+ this information will allow Samba to be extended in the future into
+ a mode the developers currently call appliance mode. In this mode,
+ no local Unix users will be necessary, and Samba will generate Unix
+ uids and gids from the information passed back from the PDC when a
+ user is authenticated, making a Samba server truly plug and play
+ in an NT domain environment. Watch for this code soon.</para>
<para><emphasis>NOTE:</emphasis> Much of the text of this document
was first published in the Web magazine <ulink url="http://www.linuxworld.com">