diff options
Diffstat (limited to 'docs/docbook/projdoc/Samba-PDC-HOWTO.sgml')
-rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 188 |
1 files changed, 116 insertions, 72 deletions
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 7cf3e5735c..53dae21775 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -13,13 +13,18 @@ <orgname>Samba Team</orgname> <address><email>dbannon@samba.org</email></address> </affiliation> + <firstname>John H</firstname><surname>Terpstra</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address><email>jht@samba.org</email></address> + </affiliation> </author> <pubdate> (26 Apr 2001) </pubdate> </chapterinfo> <title> -How to Configure Samba as a NT4 Primary Domain Controller +Samba as an NT4 or Win2k Primary Domain Controller </title> @@ -37,8 +42,7 @@ that you are comfortable with configuring basic files services in smb.conf and how to enable and administer password encryption in Samba. Theses two topics are covered in the <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename></ulink> -manpage and the <ulink url="ENCRYPTION.html">Encryption chapter</ulink> -of this HOWTO Collection. +manpage. </para> @@ -56,46 +60,28 @@ of this HOWTO Collection. Background </title> -<note> <para> -<emphasis>Author's Note:</emphasis> This document is a combination -of David Bannon's "Samba 2.2 PDC HOWTO" and "Samba NT Domain FAQ". -Both documents are superseded by this one. -</para> -</note> - -<para> -Versions of Samba prior to release 2.2 had marginal capabilities to act -as a Windows NT 4.0 Primary Domain Controller -<indexterm><primary>Primary Domain Controller</primary></indexterm> -(PDC). With Samba 2.2.0, we are proud to announce official support for -Windows NT 4.0-style domain logons from Windows NT 4.0 and Windows -2000 clients. This article outlines the steps -necessary for configuring Samba as a PDC. It is necessary to have a -working Samba server prior to implementing the PDC functionality. If -you have not followed the steps outlined in <ulink -url="UNIX_INSTALL.html"> UNIX_INSTALL.html</ulink>, please make sure -that your server is configured correctly before proceeding. Another -good resource in the <ulink url="smb.conf.5.html">smb.conf(5) man -page</ulink>. The following functionality should work in 2.2: +This article outlines the steps necessary for configuring Samba as a PDC. +It is necessary to have a working Samba server prior to implementing the +PDC functionality. </para> <itemizedlist> <listitem><para> - domain logons for Windows NT 4.0/2000 clients. + domain logons for Windows NT 4.0 / 200x / XP Professional clients. </para></listitem> <listitem><para> - placing a Windows 9x client in user level security + placing Windows 9x / Me clients in user level security </para></listitem> <listitem><para> retrieving a list of users and groups from a Samba PDC to - Windows 9x/NT/2000 clients + Windows 9x / Me / NT / 200x / XP Professional clients </para></listitem> <listitem><para> - roving (roaming) user profiles + roaming user profiles </para></listitem> <listitem><para> @@ -105,7 +91,7 @@ page</ulink>. The following functionality should work in 2.2: <para> -The following pieces of functionality are not included in the 2.2 release: +The following functionalities are new to the Samba 3.0 release: </para> <itemizedlist> @@ -114,42 +100,56 @@ The following pieces of functionality are not included in the 2.2 release: </para></listitem> <listitem><para> + Adding users via the User Manager for Domains + </para></listitem> +</itemizedlist> + +<para> +The following functionalities are NOT provided by Samba 3.0: +</para> + +<itemizedlist> + <listitem><para> SAM replication with Windows NT 4.0 Domain Controllers (i.e. a Samba PDC and a Windows NT BDC or vice versa) </para></listitem> <listitem><para> - Adding users via the User Manager for Domains - </para></listitem> - - <listitem><para> Acting as a Windows 2000 Domain Controller (i.e. Kerberos and Active Directory) </para></listitem> </itemizedlist> <para> -Please note that Windows 9x clients are not true members of a domain +Please note that Windows 9x / Me / XP Home clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for support Windows 9x-style domain logons is completely different -from NT4 domain logons and has been officially supported for some +from NT4 / Win2k type domain logons and has been officially supported for some time. </para> +<para><emphasis> +MS Windows XP Home edition is NOT able to join a domain and does not permit +the use of domain logons.</emphasis> +</para> + <para> -Implementing a Samba PDC can basically be divided into 2 broad +Implementing a Samba PDC can basically be divided into 3 broad steps. </para> -<orderedlist numeration="Arabic"> +<orderedlist numeration="arabic"> <listitem><para> Configuring the Samba PDC </para></listitem> <listitem><para> - Creating machine trust accounts and joining clients - to the domain + Creating machine trust accounts and joining clients to the domain + </para></listitem> + + <listitem><para> + Adding and managing domain user accounts </para></listitem> </orderedlist> @@ -157,7 +157,7 @@ steps. There are other minor details such as user profiles, system policies, etc... However, these are not necessarily specific to a Samba PDC as much as they are related to Windows NT networking -concepts. They will be mentioned only briefly here. +concepts. </para> </sect1> @@ -174,11 +174,10 @@ concepts. They will be mentioned only briefly here. <para> The first step in creating a working Samba PDC is to -understand the parameters necessary in smb.conf. I will not -attempt to re-explain the parameters here as they are more that -adequately covered in <ulink url="smb.conf.5.html"> the smb.conf -man page</ulink>. For convenience, the parameters have been -linked with the actual smb.conf description. +understand the parameters necessary in smb.conf. Here we +attempt to explain the parameters that are covered in +<ulink url="smb.conf.5.html"> the smb.conf +man page</ulink>. </para> <para> @@ -209,8 +208,7 @@ Here is an example <filename>smb.conf</filename> for acting as a PDC: ; where to store user profiles? <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u - ; where is a user's home directory and where should it - ; be mounted at? + ; where is a user's home directory and where should it be mounted at? <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H: <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u @@ -256,20 +254,16 @@ There are a couple of points to emphasize in the above configuration. </itemizedlist> <para> -As Samba 2.2 does not offer a complete implementation of group mapping +Samba 3.0 offers a complete implementation of group mapping between Windows NT groups and Unix groups (this is really quite -complicated to explain in a short space), you should refer to the -<ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain admin -group</ulink> smb.conf parameter for information of creating "Domain -Admins" style accounts. +complicated to explain in a short space). </para> </sect1> <sect1> -<title>Creating Machine Trust Accounts and Joining Clients to the -Domain</title> +<title>Creating Machine Trust Accounts and Joining Clients to the Domain</title> <para> A machine trust account is a Samba account that is used to @@ -282,15 +276,65 @@ The password of a machine trust account acts as the shared secret for secure communication with the Domain Controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain and gaining access to domain user/group -accounts. Windows NT and 2000 clients use machine trust accounts, but -Windows 9x clients do not. Hence, a Windows 9x client is never a true -member of a domain because it does not possess a machine trust -account, and thus has no shared secret with the domain controller. +accounts. Windows NT, 200x, XP Professional clients use machine trust +accounts, but Windows 9x / Me / XP Home clients do not. Hence, a +Windows 9x / Me / XP Home client is never a true member of a domain +because it does not possess a machine trust account, and thus has no +shared secret with the domain controller. </para> <para>A Windows PDC stores each machine trust account in the Windows -Registry. A Samba PDC, however, stores each machine trust account -in two parts, as follows: +Registry. A Samba-3 PDC also has to stoe machine trust account information +in a suitable back-end data store. With Samba-3 there can be multiple back-ends +for this including: +</para> + +<itemizedlist> + <listitem><para> + <emphasis>smbpaswd</emphasis> - the plain ascii file stored used by + earlier versions of Samba. This file configuration option requires + a Unix/Linux system account for EVERY entry (ie: both for user and for + machine accounts). This file will be located in the <emphasis>private</emphasis> + directory (default is /usr/local/samba/lib/private or on linux /etc/samba). + </para></listitem> + + <listitem><para> + <emphasis>smbpasswd_nua</emphasis> - This file is independant of the + system wide user accounts. The use of this back-end option requires + specification of the "non unix account range" option also. It is called + smbpasswd and will be located in the <filename>private</filename> directory. + </para></listitem> + + <listitem><para> + <emphasis>tdbsam</emphasis> - a binary database backend that will be + stored in the <emphasis>private</emphasis> directory in a file called + <emphasis>passwd.tdb</emphasis>. The key benefit of this binary format + file is that it can store binary objects that can not be accomodated + in the traditional plain text smbpasswd file. + </para></listitem> + + <listitem><para> + <emphasis>tdbsam_nua</emphasis> like the smbpasswd_nua option above, this + file allows the creation of arbitrary user and machine accounts without + requiring that account to be added to the system (/etc/passwd) file. It + too requires the specification of the "non unix account range" option + in the [globals] section of the smb.conf file. + </para></listitem> + + <listitem><para> + <emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the + LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com + </para></listitem> + + <listitem><para> + <emphasis>ldapsam_nua</emphasis> - LDAP based back-end with no unix + account requirement, like smbpasswd_nua and tdbsam_nua above. + </para></listitem> +</itemizedlist> + +<para> +A Samba PDC, however, stores each machine trust account in two parts, +as follows: <itemizedlist> <listitem><para>A Samba account, stored in the same location as user @@ -426,7 +470,7 @@ be created manually. <para><programlisting> [global] - # <...remainder of parameters...> + # <...remainder of parameters...> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> @@ -496,7 +540,7 @@ version of Windows. </para> <para> - A 'machine name' in (typically) <filename>/etc/passwd</> + A 'machine name' in (typically) <filename>/etc/passwd</filename> of the machine name with a '$' appended. FreeBSD (and other BSD systems?) won't create a user with a '$' in their name. </para> @@ -504,7 +548,7 @@ version of Windows. <para> The problem is only in the program used to make the entry, once made, it works perfectly. So create a user without the '$' and - use <command>vipw</> to edit the entry, adding the '$'. Or create + use <command>vipw</command> to edit the entry, adding the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID ! </para> @@ -673,8 +717,8 @@ Here are some additional details: Policy Editor can be installed on an NT Workstation/Server, it will not work with NT policies because the registry key that are set by the policy templates. However, the files from the NT Server will run happily enough on an NTws. - You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient - to put the two *.adm files in <filename>c:\winnt\inf</> which is where + You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>. It is convenient + to put the two *.adm files in <filename>c:\winnt\inf</filename> which is where the binary will look for them unless told otherwise. Note also that that directory is 'hidden'. </para> @@ -928,7 +972,7 @@ general SMB topics such as browsing.</para> <listitem><para>See how Scott Merrill simulates a BDC behavior at <ulink url="http://www.skippy.net/linux/smb-howto.html"> - http://www.skippy.net/linux/smb-howto.html</>. </para></listitem> + http://www.skippy.net/linux/smb-howto.html</ulink>. </para></listitem> <listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba"> @@ -958,8 +1002,8 @@ general SMB topics such as browsing.</para> <para> There are a number of Samba related mailing lists. Go to <ulink url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror - and then click on <command>Support</> and then click on <command> - Samba related mailing lists</>. + and then click on <command>Support</command> and then click on <command> + Samba related mailing lists</command>. </para> <para> @@ -1028,8 +1072,8 @@ general SMB topics such as browsing.</para> <para>To have your name removed from a samba mailing list, go to the same place you went to to get on it. Go to <ulink url="http://lists.samba.org/">http://lists.samba.org</ulink>, - click on your nearest mirror and then click on <command>Support</> and - then click on <command> Samba related mailing lists</>. Or perhaps see + click on your nearest mirror and then click on <command>Support</command> and + then click on <command> Samba related mailing lists</command>. Or perhaps see <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink> </para> @@ -1112,7 +1156,7 @@ worthwhile lookingat how a Windows 9x/ME client performs a logon: <listitem> <para> The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -1704,7 +1748,7 @@ contrast to w95, where it _does_ transfer / update profiles correctly]. <sect1> <title> -DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba +DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba </title> <warning> |