diff options
Diffstat (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.xml')
-rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.xml | 229 |
1 files changed, 207 insertions, 22 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index de4a8510c0..ecb8a3afb3 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -1,9 +1,9 @@ <chapter id="domain-member"> <chapterinfo> + &author.jht; &author.jeremy; &author.jerry; - &author.jht; </chapterinfo> <title>Domain Membership</title> @@ -40,6 +40,44 @@ Samba-3 can join an MS Windows NT4 style domain as a native member server, an MS Active Directory Domain as a native member server, or a Samba Domain Control network. </para> +<para> +Domain membership has many advantages: +</para> + +<itemizedlist> + <listitem><para> + MS Windows workstation users get the benefit of SSO + </para></listitem> + + <listitem><para> + Domain user access rights and file ownership / access controls can be set from + the single Domain SAM (Security Accounts Management) database (works with Domain member + servers as well as with MS Windows workstations that are domain members) + </para></listitem> + + <listitem><para> + Only MS Windows NT4 / 200x / XP Professional workstations that are Domain members + can use network logon facilities + </para></listitem> + + <listitem><para> + Domain Member workstations can be better controlled through the use of Policy files + (NTConfig.POL) and Desktop Profiles. + </para></listitem> + + <listitem><para> + Through the use of logon scripts users can be given transparent access to network + applications that run off application servers + </para></listitem> + + <listitem><para> + Network administrators gain better application and user access management abilities + because there is no need to maintain user accounts on any network client or server, + other than the central Domain database (either NT4/Samba SAM style Domain, NT4 Domain + that is back ended with an LDAP directory, or via an Active Directory infrastructure) + </para></listitem> +</itemizedlist> + </sect1> <sect1> @@ -64,8 +102,8 @@ shared secret with the domain controller. </para> <para> -A Windows NT4 PDC stores each machine trust account in the Windows -Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, +A Windows NT4 PDC stores each machine trust account in the Windows Registry. +The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for machine trust accounts. </para> @@ -103,12 +141,19 @@ as follows: </para> <para> -There are two ways to create machine trust accounts: +There are three ways to create machine trust accounts: </para> <itemizedlist> <listitem><para> - Manual creation. Both the Samba and corresponding Unix account are created by hand. + Manual creation from the Unix/Linux command line. Here, both the Samba and corresponding + Unix account are created by hand. + </para></listitem> + + <listitem><para> + Using the MS Windows NT4 Server Manager (either from an NT4 Domain member server, or using + the Nexus toolkit available from the Microsoft web site. This tool can be run from any + MS Windows machine so long as the user is logged on as the administrator account. </para></listitem> <listitem><para> @@ -200,6 +245,56 @@ the corresponding Unix account. </warning> </sect2> +<sect2> +<title>Using NT4 Server Manager to Add Machine Accounts to the Domain</title> + +<para> +If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation +then the tool of choice is the package called SRVTOOLS.EXE. When executed in the target directory +this will unpack SrvMge.exe and UsrMgr.exe (both are Domain Management tools for MS Windows NT4 +workstation. +</para> + +<para> +If your workstation is any other MS Windows product you should download the Nexus.exe package +from the Microsoft web site. When executed from the target directory this will unpack the same +tools but for use on MS Windows 9x/Me/200x/XP. +</para> + +<para> +Launch the <command>srvmgr.exe</command> (Server Manager for Domains) and follow these steps: +</para> + +<procedure> +<title>Server Manager Account Machine Account Management</title> + <step><para> + From the menu select Computer + </para></step> + + <step><para> + Click on "Select Domain" + </para></step> + + <step><para> + Click on the name of the domain you wish to administer in the "Select Domain" panel + and then Click OK. + </para></step> + + <step><para> + Again from the menu select Computer + </para></step> + + <step><para> + Select "Add to Domain" + </para></step> + + <step><para> + In the dialog box, click on the radio button to "Add NT Workstation of Server", then + enter the machine name in the field provided, then Click the "Add" button. + </para></step> +</procedure> + +</sect2> <sect2> <title>"On-the-Fly" Creation of Machine Trust Accounts</title> @@ -210,13 +305,11 @@ simply to allow the Samba server to create them as needed when the client is joined to the domain. </para> -<para>Since each Samba machine trust account requires a corresponding -Unix account, a method for automatically creating the -Unix account is usually supplied; this requires configuration of the -<ulink url="smb.conf.5.html#ADDMACHINESCRIPT">add machine script</ulink> -option in <filename>smb.conf</filename>. This -method is not required, however; corresponding Unix accounts may also -be created manually. +<para>Since each Samba machine trust account requires a corresponding Unix account, a method +for automatically creating the Unix account is usually supplied; this requires configuration of the +<ulink url="smb.conf.5.html#ADDMACHINESCRIPT">add machine script</ulink> option in +<filename>smb.conf</filename>. This method is not required, however; corresponding Unix +accounts may also be created manually. </para> @@ -230,25 +323,39 @@ Below is an example for a RedHat Linux system. add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> + </sect2> -<sect2><title>Joining the Client to the Domain</title> +<sect2><title>Making an MS Windows Workstation or Server a Domain Member</title> <para> -The procedure for joining a client to the domain varies with the version of Windows. +The procedure for making an MS Windows workstation of server a member of the domain varies +with the version of Windows: </para> <itemizedlist> - <listitem><para><emphasis>Windows 2000</emphasis></para> + <listitem><para><emphasis>Windows 200x XP Professional</emphasis></para> + + <para> + When the user elects to make the client a domain member, Windows 200x prompts for + an account and password that has privileges to create machine accounts in the domain. + A Samba administrative account (i.e., a Samba account that has root privileges on the + Samba server) must be entered here; the operation will fail if an ordinary user + account is given. + </para> + + <para> + Note: For security reasons the password for this administrative account should be set + to a password that is other than that used for the root user in the + <filename>/etc/passwd</filename>. + </para> <para> - When the user elects to join the client to a domain, Windows prompts for - an account and password that is privileged to join the domain. A Samba administrative - account (i.e., a Samba account that has root privileges on the Samba server) must be - entered here; the operation will fail if an ordinary user account is given. - The password for this account should be set to a different password than the associated - <filename>/etc/passwd</filename> entry, for security reasons. + The name of the account that is used to create domain member machine accounts can be + anything the network administrator may choose. If it is other than <command>root</command> + then this is easily mapped to root using the file pointed to be the &smb.conf; parameter + <emphasis>username map =</emphasis> <command>/etc/samba/smbusers</command>. </para> <para> @@ -258,7 +365,7 @@ The procedure for joining a client to the domain varies with the version of Wind updated if it already exists. </para></listitem> - <listitem><para><emphasis>Windows NT</emphasis></para> + <listitem><para><emphasis>Windows NT4</emphasis></para> <para> If the machine trust account was created manually, on the @@ -701,6 +808,84 @@ their defaults DNS setup. Maybe fixed in service packs? </para> </sect2> +</sect1> + +<sect1> +<title>Common Errors</title> + +<para> +In the process of adding / deleting / re-adding domain member machine accounts there are +many traps for the unwary player and there are many "little" things that can go wrong. +It is particularly interesting how often subscribers on the samba mailing list have concluded +after repeated failed attempts to add a machine account that it is necessary to "re-install" +MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type +of problem. The real solution is often very simple, and with understanding of how MS Windows +networking functions. easily overcome. +</para> + +<sect2> +<title>Can Not Add Machine Back to Domain</title> + +<para> +<emphasis>Problem:</emphasis> A Windows workstation was reinstalled. The original domain machine +account was deleted and added immediately. The workstation will not join the domain if I use +the same machine name. Attempts to add the machine fail with a message that the machine already +exists on the network - I know it doen't. Why is this failing? +</para> + +<para> +The original name is still in the NetBIOS name cache and must expire after machine account +deletion BEFORE adding that same name as a domain member again. The best advice is to delete +the old account and then to add the machine with a new name. +</para> + +</sect2> + +<sect2> +<title>Adding Machine to Domain Fails</title> + +<para> +Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a +message that, "The machine could not be added at this time, there is a network problem. +Please try again later." Why? +</para> + +<para> +You should check that there is an <emphasis>add machine script</emphasis> in your &smb.conf; +file. If there is not, please add one that is appropriate for your OS platform. If a script +has been defined you will need to debug it's operation. Increase the <emphasis>log level</emphasis> +in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which +operation is failing. +</para> + +<para> +Possible causes include: +</para> + +<itemizedlist> + <listitem><para> + The script does not actually exist, or could not be located in the path specified. + </para> + + <para> + <emphasis>Corrective Action:</emphasis> Fix it. Make sure that when run manually + that the script will add both the Unix system account _and_ the Samba SAM account. + </para></listitem> + + <listitem><para> + The machine could not be added to the Unix system accounts file <filename>/etc/passwd</filename> + </para> + + <para> + <emphasis>Corrective Action:</emphasis> Check that the machine name is a legal Unix + system account name. ie: If the Unix utility <command>useradd</command> is called + then make sure that the machine name you are trying to add can be added using this + tool. <command>Useradd</command> on some systems will not allow any upper case characters + nor will it allow spaces in the name. + </para></listitem> +</itemizedlist> + +</sect2> </sect1> </chapter> |