diff options
Diffstat (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.xml')
| -rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.xml | 383 |
1 files changed, 209 insertions, 174 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index ecb8a3afb3..0af934faab 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -4,40 +4,48 @@ &author.jht; &author.jeremy; &author.jerry; + +<!-- Authors of the ADS-HOWTO --> + &author.tridge; + &author.jelmer; </chapterinfo> <title>Domain Membership</title> <para> -Domain Membership is a subject of vital concern, Samba must be able to participate -as a member server in a Microsoft Domain security context, and Samba must be capable of -providing Domain machine member trust accounts, otherwise it would not be capable of offering -a viable option for many users. +Domain Membership is a subject of vital concern, Samba must be able to +participate as a member server in a Microsoft Domain security context, and +Samba must be capable of providing Domain machine member trust accounts, +otherwise it would not be capable of offering a viable option for many users. </para> <para> -This chapter covers background information pertaining to domain membership, Samba -configuration for it, and MS Windows client procedures for joining a domain. Why is -this necessary? Because both are areas in which there exists within the current MS -Windows networking world and particularly in the Unix/Linux networking and administration -world, a considerable level of mis-information, incorrect understanding, and a lack of -knowledge. Hopefully this chapter will fill the voids. +This chapter covers background information pertaining to domain membership, +Samba configuration for it, and MS Windows client procedures for joining a +domain. Why is this necessary? Because both are areas in which there exists +within the current MS Windows networking world and particularly in the +Unix/Linux networking and administration world, a considerable level of +mis-information, incorrect understanding, and a lack of knowledge. Hopefully +this chapter will fill the voids. </para> <sect1> <title>Features and Benefits</title> <para> -MS Windows workstations and servers that want to participate in domain security need to +MS Windows workstations and servers that want to participate in domain +security need to be made Domain members. Participating in Domain security is often called -<emphasis>Single Sign On</emphasis> or SSO for short. This chapter describes the process -that must be followed to make a workstation (or another server - be it an MS Windows NT4 / 200x +<emphasis>Single Sign On</emphasis> or <acronym>SSO</acronym> for short. This +chapter describes the process that must be followed to make a workstation +(or another server - be it an <application>MS Windows NT4 / 200x</application> server) or a Samba server a member of an MS Windows Domain security context. </para> <para> -Samba-3 can join an MS Windows NT4 style domain as a native member server, an MS Windows -Active Directory Domain as a native member server, or a Samba Domain Control network. +Samba-3 can join an MS Windows NT4 style domain as a native member server, an +MS Windows Active Directory Domain as a native member server, or a Samba Domain +Control network. </para> <para> @@ -50,31 +58,34 @@ Domain membership has many advantages: </para></listitem> <listitem><para> - Domain user access rights and file ownership / access controls can be set from - the single Domain SAM (Security Accounts Management) database (works with Domain member - servers as well as with MS Windows workstations that are domain members) + Domain user access rights and file ownership / access controls can be set + from the single Domain SAM (Security Account Manager) database + (works with Domain member servers as well as with MS Windows workstations + that are domain members) </para></listitem> <listitem><para> - Only MS Windows NT4 / 200x / XP Professional workstations that are Domain members + Only <application>MS Windows NT4 / 200x / XP Professional</application> + workstations that are Domain members can use network logon facilities </para></listitem> <listitem><para> - Domain Member workstations can be better controlled through the use of Policy files - (NTConfig.POL) and Desktop Profiles. + Domain Member workstations can be better controlled through the use of + Policy files (<filename>NTConfig.POL</filename>) and Desktop Profiles. </para></listitem> <listitem><para> - Through the use of logon scripts users can be given transparent access to network + Through the use of logon scripts, users can be given transparent access to network applications that run off application servers </para></listitem> <listitem><para> - Network administrators gain better application and user access management abilities - because there is no need to maintain user accounts on any network client or server, - other than the central Domain database (either NT4/Samba SAM style Domain, NT4 Domain - that is back ended with an LDAP directory, or via an Active Directory infrastructure) + Network administrators gain better application and user access management + abilities because there is no need to maintain user accounts on any network + client or server, other than the central Domain database + (either NT4/Samba SAM style Domain, NT4 Domain that is back ended with an + LDAP directory, or via an Active Directory infrastructure) </para></listitem> </itemizedlist> @@ -84,7 +95,8 @@ Domain membership has many advantages: <title>MS Windows Workstation/Server Machine Trust Accounts</title> <para> -A machine trust account is an account that is used to authenticate a client machine +A machine trust account is an account that is used to authenticate a client +machine (rather than a user) to the Domain Controller server. In Windows terminology, this is known as a "Computer Account." </para> @@ -113,10 +125,10 @@ as follows: <itemizedlist> <listitem><para> - A Domain Security Account (stored in the <emphasis>passdb backend</emphasis> - that has been configured in the &smb.conf; file. The precise nature of the - account information that is stored depends on the type of backend database - that has been chosen. + A Domain Security Account (stored in the + <parameter>passdb backend</parameter> that has been configured in the + &smb.conf; file. The precise nature of the account information that is + stored depends on the type of backend database that has been chosen. </para> <para> @@ -127,15 +139,17 @@ as follows: </para> <para> - The two newer database types are called <emphasis>ldapsam, tdbsam</emphasis>. - Both store considerably more data than the older <filename>smbpasswd</filename> - file did. The extra information enables new user account controls to be used. + The two newer database types are called <emphasis>ldapsam</emphasis>, + <emphasis>tdbsam</emphasis>. Both store considerably more data than the + older <filename>smbpasswd</filename> file did. The extra information + enables new user account controls to be used. </para></listitem> <listitem><para> - A corresponding Unix account, typically stored in <filename>/etc/passwd</filename>. - Work is in progress to allow a simplified mode of operation that does not require - Unix user accounts, but this may not be a feature of the early releases of Samba-3. + A corresponding Unix account, typically stored in + <filename>/etc/passwd</filename>. Work is in progress to allow a + simplified mode of operation that does not require Unix user accounts, but + this may not be a feature of the early releases of Samba-3. </para></listitem> </itemizedlist> </para> @@ -146,20 +160,22 @@ There are three ways to create machine trust accounts: <itemizedlist> <listitem><para> - Manual creation from the Unix/Linux command line. Here, both the Samba and corresponding - Unix account are created by hand. + Manual creation from the Unix/Linux command line. Here, both the Samba and + corresponding Unix account are created by hand. </para></listitem> <listitem><para> - Using the MS Windows NT4 Server Manager (either from an NT4 Domain member server, or using - the Nexus toolkit available from the Microsoft web site. This tool can be run from any - MS Windows machine so long as the user is logged on as the administrator account. + Using the MS Windows NT4 Server Manager (either from an NT4 Domain member + server, or using the Nexus toolkit available from the Microsoft web site. + This tool can be run from any MS Windows machine so long as the user is + logged on as the administrator account. </para></listitem> <listitem><para> - "On-the-fly" creation. The Samba machine trust account is automatically created by - Samba at the time the client is joined to the domain. (For security, this is the - recommended method.) The corresponding Unix account may be created automatically or manually. + "On-the-fly" creation. The Samba machine trust account is automatically + created by Samba at the time the client is joined to the domain. + (For security, this is the recommended method.) The corresponding Unix + account may be created automatically or manually. </para></listitem> </itemizedlist> @@ -167,26 +183,26 @@ There are three ways to create machine trust accounts: <title>Manual Creation of Machine Trust Accounts</title> <para> -The first step in manually creating a machine trust account is to manually create the -corresponding Unix account in <filename>/etc/passwd</filename>. This can be done using -<command>vipw</command> or other 'add user' command that is normally used to create new -Unix accounts. The following is an example for a Linux based Samba server: +The first step in manually creating a machine trust account is to manually +create the corresponding Unix account in <filename>/etc/passwd</filename>. +This can be done using <command>vipw</command> or another 'add user' command +that is normally used to create new Unix accounts. The following is an example for a Linux based Samba server: </para> <para> -<prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command> +&rootprompt;<userinput>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </userinput> </para> <para> -<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command> +&rootprompt;<userinput>passwd -l <replaceable>machine_name</replaceable>$</userinput> </para> <para> -On *BSD systems, this can be done using the 'chpass' utility: +On *BSD systems, this can be done using the <command>chpass</command> utility: </para> <para> -<prompt>root# </prompt><command>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</command> +&rootprompt;<userinput>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</userinput> </para> <para> @@ -196,9 +212,9 @@ home directory. For example a machine named 'doppy' would have an <filename>/etc/passwd</filename> entry like this: </para> -<para> +<programlisting> doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false -</para> +</programlisting> <para> Above, <replaceable>machine_nickname</replaceable> can be any @@ -218,9 +234,9 @@ as shown here: </para> <para> -<programlisting> -<prompt>root# </prompt><userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput> -</programlisting> +<screen> +&rootprompt;<userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput> +</screen> </para> <para> @@ -235,11 +251,11 @@ the corresponding Unix account. <para> Manually creating a machine trust account using this method is the equivalent of creating a machine trust account on a Windows NT PDC using - the "Server Manager". From the time at which the account is created - to the time which the client joins the domain and changes the password, - your domain is vulnerable to an intruder joining your domain using - a machine with the same NetBIOS name. A PDC inherently trusts - members of the domain and will serve out a large degree of user + the <application>Server Manager</application>. From the time at which the + account is created to the time which the client joins the domain and + changes the password, your domain is vulnerable to an intruder joining + your domain using a machine with the same NetBIOS name. A PDC inherently + trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned! </para> </warning> @@ -249,16 +265,19 @@ the corresponding Unix account. <title>Using NT4 Server Manager to Add Machine Accounts to the Domain</title> <para> -If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation -then the tool of choice is the package called SRVTOOLS.EXE. When executed in the target directory -this will unpack SrvMge.exe and UsrMgr.exe (both are Domain Management tools for MS Windows NT4 -workstation. +If the machine from which you are trying to manage the domain is an +<application>MS Windows NT4 workstation</application> +then the tool of choice is the package called <command>SRVTOOLS.EXE</command>. +When executed in the target directory this will unpack +<command>SrvMge.exe</command> and <command>UsrMgr.exe</command> (both are +Domain Management tools for MS Windows NT4 workstation. </para> <para> -If your workstation is any other MS Windows product you should download the Nexus.exe package -from the Microsoft web site. When executed from the target directory this will unpack the same -tools but for use on MS Windows 9x/Me/200x/XP. +If your workstation is any other MS Windows product you should download the +<command>Nexus.exe</command> package from the Microsoft web site. When executed +from the target directory this will unpack the same tools but for use on +<application>MS Windows 9x/Me/200x/XP</application>. </para> <para> @@ -268,29 +287,32 @@ Launch the <command>srvmgr.exe</command> (Server Manager for Domains) and follow <procedure> <title>Server Manager Account Machine Account Management</title> <step><para> - From the menu select Computer + From the menu select <guimenu>Computer</guimenu> </para></step> <step><para> - Click on "Select Domain" + Click on <guimenuitem>Select Domain</guimenuitem> </para></step> <step><para> - Click on the name of the domain you wish to administer in the "Select Domain" panel - and then Click OK. + Click on the name of the domain you wish to administer in the + <guilabel>Select Domain</guilabel> panel and then click + <guibutton>OK</guibutton>. </para></step> <step><para> - Again from the menu select Computer + Again from the menu select <guimenu>Computer</guimenu> </para></step> <step><para> - Select "Add to Domain" + Select <guimenuitem>Add to Domain</guimenuitem> </para></step> <step><para> - In the dialog box, click on the radio button to "Add NT Workstation of Server", then - enter the machine name in the field provided, then Click the "Add" button. + In the dialog box, click on the radio button to + <guilabel>Add NT Workstation of Server</guilabel>, then + enter the machine name in the field provided, then click the + <guibutton>Add</guibutton> button. </para></step> </procedure> @@ -334,8 +356,8 @@ The procedure for making an MS Windows workstation of server a member of the dom with the version of Windows: </para> -<itemizedlist> - <listitem><para><emphasis>Windows 200x XP Professional</emphasis></para> +<sect3> + <title>Windows 200x XP Professional</title> <para> When the user elects to make the client a domain member, Windows 200x prompts for @@ -353,9 +375,9 @@ with the version of Windows: <para> The name of the account that is used to create domain member machine accounts can be - anything the network administrator may choose. If it is other than <command>root</command> + anything the network administrator may choose. If it is other than <emphasis>root</emphasis> then this is easily mapped to root using the file pointed to be the &smb.conf; parameter - <emphasis>username map =</emphasis> <command>/etc/samba/smbusers</command>. + <parameter>username map = /etc/samba/smbusers</parameter>. </para> <para> @@ -363,73 +385,84 @@ with the version of Windows: encryption key for setting the password of the machine trust account. The machine trust account will be created on-the-fly, or updated if it already exists. - </para></listitem> + </para> +</sect3> - <listitem><para><emphasis>Windows NT4</emphasis></para> +<sect3> + <title>Windows NT4</title> <para> If the machine trust account was created manually, on the Identification Changes menu enter the domain name, but do not - check the box "Create a Computer Account in the Domain." In this case, - the existing machine trust account is used to join the machine to - the domain. + check the box <guilabel>Create a Computer Account in the Domain</guilabel>. + In this case, the existing machine trust account is used to join the machine + to the domain. </para> <para> If the machine trust account is to be created on-the-fly, on the Identification Changes menu enter the domain - name, and check the box "Create a Computer Account in the Domain." In - this case, joining the domain proceeds as above for Windows 2000 - (i.e., you must supply a Samba administrative account when + name, and check the box <guilabel>Create a Computer Account in the + Domain</guilabel>. In this case, joining the domain proceeds as above + for Windows 2000 (i.e., you must supply a Samba administrative account when prompted). - </para></listitem> + </para> +</sect3> - <listitem><para><emphasis>Samba</emphasis></para> - <para>Joining a samba client to a domain is documented in - the <link linkend="domain-member">Domain Member</link> chapter. - </para></listitem> -</itemizedlist> +<sect3> + <title>Samba</title> + + <para>Joining a Samba client to a domain is documented in + the <link linkend="domain-member-server">Domain Member Server</link> section of this chapter chapter. + </para> +</sect3> </sect2> </sect1> -<sect1> +<sect1 id="domain-member-server"> <title>Domain Member Server</title> <para> -This mode of server operation involves the samba machine being made a member -of a domain security context. This means by definition that all user authentication -will be done from a centrally defined authentication regime. The authentication -regime may come from an NT3/4 style (old domain technology) server, or it may be -provided from an Active Directory server (ADS) running on MS Windows 2000 or later. +This mode of server operation involves the Samba machine being made a member +of a domain security context. This means by definition that all user +authentication will be done from a centrally defined authentication regime. +The authentication regime may come from an NT3/4 style (old domain technology) +server, or it may be provided from an Active Directory server (ADS) running on +MS Windows 2000 or later. </para> <para> <emphasis> -Of course it should be clear that the authentication back end itself could be from any -distributed directory architecture server that is supported by Samba. This can be -LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc. +Of course it should be clear that the authentication back end itself could be +from any distributed directory architecture server that is supported by Samba. +This can be LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory +Server, etc. </emphasis> </para> <para> -Please refer to the section on Howto configure Samba as a Primary Domain Controller -and for more information regarding how to create a domain machine account for a -domain member server as well as for information regarding how to enable the samba -domain member machine to join the domain and to be fully trusted by it. +Please refer to the <link linkend="samba-pdc">Domain Control chapter</link> +for more information regarding how to create a domain +machine account for a domain member server as well as for information +regarding how to enable the Samba domain member machine to join the domain and +to be fully trusted by it. </para> <sect2> <title>Joining an NT4 type Domain with Samba-3</title> <para> -<emphasis>Assumptions:</emphasis> -<programlisting> - NetBIOS name: SERV1 - Win2K/NT domain name: DOM - Domain's PDC NetBIOS name: DOMPDC - Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 -</programlisting> + <table frame="all"><title>Assumptions</title> +<tgroup align="left" cols="2"> + <tbody> + <row><entry>NetBIOS name:</entry><entry>SERV1</entry></row> + <row><entry>Win2K/NT domain name:</entry><entry>DOM</entry></row> + <row><entry>Domain's PDC NetBIOS name:</entry><entry>DOMPDC</entry></row> + <row><entry>Domain's BDC NetBIOS names:</entry><entry>DOMBDC1 and DOMBDC2</entry></row> +</tbody> +</tgroup> +</table> </para> <para> @@ -439,24 +472,25 @@ now use domain security. <para> Change (or add) your <ulink url="smb.conf.5.html#SECURITY"> -<parameter>security =</parameter></ulink> line in the [global] section +<parameter>security</parameter></ulink> line in the [global] section of your &smb.conf; to read: </para> <para> <programlisting> - <command>security = domain</command> +security = domain </programlisting> </para> <para> Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter> -workgroup =</parameter></ulink> line in the [global] section to read: +workgroup</parameter></ulink> line in the <parameter>[global]</parameter> +section to read: </para> <para> <programlisting> - <command>workgroup = DOM</command> +workgroup = DOM </programlisting> </para> @@ -472,13 +506,13 @@ You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS"> <para> Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER"> -<parameter>password server =</parameter></ulink> line in the [global] +<parameter>password server</parameter></ulink> line in the [global] section to read: </para> <para> <programlisting> - <command>password server = DOMPDC DOMBDC1 DOMBDC2</command> +password server = DOMPDC DOMBDC1 DOMBDC2 </programlisting> </para> @@ -498,12 +532,12 @@ set this line to be: <para> <programlisting> - <command>password server = *</command> +password server = * </programlisting> </para> <para> -This method, allows Samba to use exactly the same mechanism that NT does. This +This method allows Samba to use exactly the same mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against. </para> @@ -513,20 +547,21 @@ In order to actually join the domain, you must run this command: </para> <para> -<programlisting> - <prompt>root# </prompt><userinput>net join -S DOMPDC -U<replaceable>Administrator%password</replaceable></userinput> -</programlisting> +<screen> +<prompt>root# </prompt><userinput>net join -S DOMPDC -U<replaceable>Administrator%password</replaceable></userinput> +</screen> </para> <para> -If the <userinput>-S DOMPDC</userinput> argument is not given then -the domain name will be obtained from smb.conf. +If the <option>-S DOMPDC</option> argument is not given then +the domain name will be obtained from &smb.conf;. </para> <para> As we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) -is DOMPDC. The <replaceable>Administrator%password</replaceable> is +is DOMPDC, we use it for the <option>-S</option> option. +The <replaceable>Administrator%password</replaceable> is the login name and password for an account which has the necessary privilege to add machines to the domain. If this is successful you will see the message: @@ -551,7 +586,7 @@ trust account on the PDC beforehand. This command goes through the machine account password change protocol, then writes the new (random) machine account password for this Samba server into a file in the same directory -in which an smbpasswd file would be stored - normally : +in which an smbpasswd file would be stored - normally: </para> <para> @@ -588,8 +623,8 @@ NT server in the same way as a Windows 95 or Windows 98 server would. </para> <para> -Please refer to the <ulink url="winbind.html">Winbind -paper</ulink> for information on a system to automatically +Please refer to the <link linkend="winbind">Winbind</link> chapter +for information on a system to automatically assign UNIX uids and gids to Windows NT Domain users and groups. </para> @@ -604,11 +639,11 @@ domain PDC to an account domain PDC). </para> <para> -In addition, with <command>security = server</command> every Samba +In addition, with <parameter>security = server</parameter> every Samba daemon on a server has to keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the connection resources on a Microsoft NT server and cause it to run -out of available connections. With <command>security = domain</command>, +out of available connections. With <parameter>security = domain</parameter>, however, the Samba daemons connect to the PDC/BDC only for as long as is necessary to authenticate the user, and then drop the connection, thus conserving PDC connection resources. @@ -624,8 +659,8 @@ as the user SID, the list of NT groups the user belongs to, etc. <note> <para> Much of the text of this document -was first published in the Web magazine <ulink url="http://www.linuxworld.com"> -LinuxWorld</ulink> as the article <ulink +was first published in the Web magazine +<ulink url="http://www.linuxworld.com">LinuxWorld</ulink> as the article <ulink url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing the NIS/NT Samba</ulink>. </para> @@ -634,19 +669,19 @@ the NIS/NT Samba</ulink>. </sect2> </sect1> -<sect1> +<sect1 id="ads-member"> <title>Samba ADS Domain Membership</title> <para> -This is a rough guide to setting up Samba 3.0 with kerberos authentication against a -Windows2000 KDC. +This is a rough guide to setting up Samba 3.0 with Kerberos authentication against a +Windows2000 KDC. A familiarity with Kerberos is assumed. </para> <sect2> <title>Setup your <filename>smb.conf</filename></title> <para> -You must use at least the following 3 options in smb.conf: +You must use at least the following 3 options in &smb.conf;: </para> <para><programlisting> @@ -657,17 +692,18 @@ You must use at least the following 3 options in smb.conf: <para> In case samba can't figure out your ads server using your realm name, use the -<command>ads server</command> option in <filename>smb.conf</filename>: +<parameter>ads server</parameter> option in <filename>smb.conf</filename>: <programlisting> ads server = your.kerberos.server </programlisting> </para> <note><para> -You do *not* need a smbpasswd file, and older clients will be authenticated as if -<command>security = domain</command>, although it won't do any harm and allows you -to have local users not in the domain. I expect that the above required options will -change soon when we get better active directory integration. +You do <emphasis>not</emphasis> need a smbpasswd file, and older clients will be authenticated as +if <parameter>security = domain</parameter>, although it won't do any harm and +allows you to have local users not in the domain. It is expected that the above +required options will change soon when active directory integration will get +better. </para></note> </sect2> @@ -676,14 +712,13 @@ change soon when we get better active directory integration. <title>Setup your <filename>/etc/krb5.conf</filename></title> <para> -Note: you will need the krb5 workstation, devel, and libs installed -</para> - -<para> The minimal configuration for <filename>krb5.conf</filename> is: </para> <para><programlisting> + [libdefaults] + default_realm = YOUR.KERBEROS.REALM + [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server @@ -697,37 +732,37 @@ making sure that your password is accepted by the Win2000 KDC. </para> <note><para> -The realm must be uppercase or you will get "Cannot find KDC for requested -realm while getting initial credentials" error +The realm must be uppercase or you will get <errorname>Cannot find KDC for +requested realm while getting initial credentials</errorname> error. </para></note> <note><para> Time between the two servers must be synchronized. You will get a -"kinit(v5): Clock skew too great while getting initial credentials" if the time -difference is more than five minutes. +<errorname>kinit(v5): Clock skew too great while getting initial credentials</errorname> +if the time difference is more than five minutes. </para></note> <para> You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to -must either be the netbios name of the KDC (ie. the hostname with no -domain attached) or it can alternatively be the netbios name +must either be the NetBIOS name of the KDC (ie. the hostname with no +domain attached) or it can alternatively be the NetBIOS name followed by the realm. </para> <para> The easiest way to ensure you get this right is to add a <filename>/etc/hosts</filename> entry mapping the IP address of your KDC to -its netbios name. If you don't get this right then you will get a -"local error" when you try to join the realm. +its NetBIOS name. If you don't get this right then you will get a +<errorname>local error</errorname> when you try to join the realm. </para> <para> -If all you want is kerberos support in &smbclient; then you can skip +If all you want is Kerberos support in &smbclient; then you can skip straight to <link linkend="ads-test-smbclient">Test with &smbclient;</link> now. <link linkend="ads-create-machine-account">Creating a computer account</link> and <link linkend="ads-test-server">testing your servers</link> -is only needed if you want kerberos support for &smbd; and &winbindd;. +is only needed if you want Kerberos support for &smbd; and &winbindd;. </para> </sect2> @@ -739,7 +774,7 @@ is only needed if you want kerberos support for &smbd; and &winbindd;. As a user that has write permission on the Samba private directory (usually root) run: <programlisting> - <userinput>net join -U Administrator%password</userinput> + &rootprompt;<userinput>net join -U Administrator%password</userinput> </programlisting> </para> @@ -748,12 +783,12 @@ As a user that has write permission on the Samba private directory <para> <variablelist> - <varlistentry><term>"ADS support not compiled in"</term> + <varlistentry><term><errorname>ADS support not compiled in</errorname></term> <listitem><para>Samba must be reconfigured (remove config.cache) and recompiled - (make clean all install) after the kerberos libs and headers are installed. + (make clean all install) after the Kerberos libs and headers are installed. </para></listitem></varlistentry> - <varlistentry><term>net join prompts for user name</term> + <varlistentry><term><errorname>net join prompts for user name</errorname></term> <listitem><para>You need to login to the domain using <userinput>kinit <replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>. <replaceable>USERNAME</replaceable> must be a user who has rights to add a machine @@ -776,7 +811,7 @@ folder under Users and Computers. <para> On a Windows 2000 client try <userinput>net use * \\server\share</userinput>. You should -be logged in with kerberos without needing to know a password. If +be logged in with Kerberos without needing to know a password. If this fails then run <userinput>klist tickets</userinput>. Did you get a ticket for the server? Does it have an encoding type of DES-CBC-MD5 ? </para> @@ -788,8 +823,8 @@ server? Does it have an encoding type of DES-CBC-MD5 ? <para> On your Samba server try to login to a Win2000 server or your Samba -server using &smbclient; and kerberos. Use &smbclient; as usual, but -specify the <parameter>-k</parameter> option to choose kerberos authentication. +server using &smbclient; and Kerberos. Use &smbclient; as usual, but +specify the <parameter>-k</parameter> option to choose Kerberos authentication. </para> </sect2> @@ -803,7 +838,7 @@ install, to create the right encoding types </para> <para> -w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in +W2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs? </para> @@ -815,7 +850,7 @@ their defaults DNS setup. Maybe fixed in service packs? <para> In the process of adding / deleting / re-adding domain member machine accounts there are -many traps for the unwary player and there are many "little" things that can go wrong. +many traps for the unwary player and there are many <quote>little</quote> things that can go wrong. It is particularly interesting how often subscribers on the samba mailing list have concluded after repeated failed attempts to add a machine account that it is necessary to "re-install" MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type @@ -830,7 +865,7 @@ networking functions. easily overcome. <emphasis>Problem:</emphasis> A Windows workstation was reinstalled. The original domain machine account was deleted and added immediately. The workstation will not join the domain if I use the same machine name. Attempts to add the machine fail with a message that the machine already -exists on the network - I know it doen't. Why is this failing? +exists on the network - I know it doesn't. Why is this failing? </para> <para> @@ -846,14 +881,14 @@ the old account and then to add the machine with a new name. <para> Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a -message that, "The machine could not be added at this time, there is a network problem. -Please try again later." Why? +message that, <errorname>The machine could not be added at this time, there is a network problem. +Please try again later.</errorname> Why? </para> <para> -You should check that there is an <emphasis>add machine script</emphasis> in your &smb.conf; +You should check that there is an <parameter>add machine script</parameter> in your &smb.conf; file. If there is not, please add one that is appropriate for your OS platform. If a script -has been defined you will need to debug it's operation. Increase the <emphasis>log level</emphasis> +has been defined you will need to debug it's operation. Increase the <parameter>log level</parameter> in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which operation is failing. </para> |