diff options
Diffstat (limited to 'docs/docbook/projdoc/Samba-PDC-HOWTO.sgml')
| -rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 964 |
1 files changed, 964 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml new file mode 100644 index 0000000000..699ba54a09 --- /dev/null +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -0,0 +1,964 @@ +<chapter> + + +<chapterinfo> + <author> + <firstname>Gerald (Jerry)</firstname><surname>Carter</surname> + <affiliation> + <orgname>VA Linux Systems/Samba Team</orgname> + <address><email>jerry@samba.org</email></address> + </affiliation> + </author> + <pubdate> (15 Apr 2001) </pubdate> +</chapterinfo> + +<title> +How to Configure Samba 2.2.x as a Primary Domain Controller +</title> + + +<!-- ********************************************************** + + Background Information + +*************************************************************** --> +<sect1> +<title> +Background +</title> + +<para><emphasis>Author's Note :</emphasis> This document +is a combination of David Bannon's Samba 2.2 PDC HOWTO +and the Samba NT Domain FAQ. Both documents are superceeded by this one. +</para> + +<para> +Version of Samba prior to release 2.2 had marginal capabilities to +act as a Windows NT 4.0 Primary Domain Controller (PDC). The following +functionality should work in 2.2.0: +</para> + +<itemizedlist> + <listitem><para>domain logons for Windows NT 4.0/2000 clients</para></listitem> + + <listitem><para>placing a Windows 9x client in user level security</para></listitem> + + <listitem><para>retrieving a list of users and groups from a Samba PDC to + Windows 9x/NT/2000 clients </para></listitem> + + <listitem><para>roving user profiles</para></listitem> + + <listitem><para>Windows NT 4.0 style system policies</para></listitem> +</itemizedlist> + +<para> +The following pieces of functionality are not included in the 2.2 release: +</para> + +<itemizedlist> + <listitem><para>Windows NT 4 domain trusts</para></listitem> + + <listitem><para>Sam replication with Windows NT 4.0 Domain Controllers + (i.e. a Samba PDC and a Windows NT BDC or vice versa) </para></listitem> + + <listitem><para>Adding users via the User Manager for Domains</para></listitem> + + <listitem><para>Acting as a Windows 2000 Domain Controller (i.e. Kerberos + and Active Directory)</para></listitem> +</itemizedlist> + +<para> +Please note that Windows 9x clients are not true members of a domain +for reasons outlined in this article. Therefore the protocol for +support Windows 9x style domain logons is completely different +from NT4 domain logons and has been officially supported for some +time. +</para> + +<para> +Beginning with Samba 2.2.0, we are proud to announce official +support for Windows NT 4.0 style domain logons from Windows NT +4.0 and Windows 2000 (including SP1) clients. This article +outlines the steps necessary for configuring Samba as a PDC. +Note that it is necessary to have a working Samba server +prior to implementing the PDC functionality. If you have not +followed the steps outlined in <ulink url="UNIX_INSTALL.html"> +UNIX_INSTALL.html</ulink>, please make sure that your server +is configured correctly before proceeding. Another good +resource in the <ulink url="smb.conf.5.html">smb.conf(5) man +page</ulink>. +</para> + +<para> +Implementing a Samba PDC can basically be divided into 2 broad +steps. +</para> + +<orderedlist numeration="Arabic"> + <listitem><para>Configuring the Samba Domain Controller + </para></listitem> + + <listitem><para>Creating machine trust accounts + and joining clients to the domain</para></listitem> +</orderedlist> + +<para> +There are other minor details such as user profiles, system +policies, etc... However, these are not necessarily specific +to a Samba PDC as much as they are related to Windows NT networking +concepts. They will be mentioned only briefly here. +</para> + +</sect1> + + +<!-- ********************************************************** + + Configuring the Samba PDC + +*************************************************************** --> + +<sect1> +<title>Configuring the Samba Domain Controller</title> + +<para> +The first step in creating a working Samba PDC is to +understand the parameters necessary in smb.conf. I will not +attempt to re-explain the parameters here as they are more that +adequately covered in <ulink url="smb.conf.5.html"> the smb.conf +man page</ulink>. For convenience, the parameters have been +linked with the actual smb.conf description. +</para> + +<para> +Here is an example smb.conf for acting as a PDC: +</para> + +<para><programlisting> +[global] + ; Basic server settings + <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable> + <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable> + + ; we should act as the domain and local master browser + <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64 + <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes + <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes + <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes + + ; security settings (must user security = user) + <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user + + ; encrypted passwords are a requirement for a PDC + <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes + + ; support domain logons + <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes + + ; where to store user profiles? + <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u + + ; where is a user's home directory and where should it + ; be mounted at? + <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H: + <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u + + ; specify a generic logon script for all users + ; this is a relative path to the [netlogon] share + <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd + +; necessary share for domain controller +[netlogon] + <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon + <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = no + <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable> + +; share for storing user profiles +[profiles] + <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile + <ulink url="smb.conf.5.html#WRITEABLE">writeable</ulink> = yes + <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600 + <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 +</programlisting></para> + +<para> +There are a couple of points to emphasize in the above +configuration. +</para> + +<itemizedlist> + <listitem><para>encrypted passwords must be enabled. + For more details on how to do this, refer to + <ulink url="ENCRYPTION.html">ENCRYPTION.html</ulink>. + </para></listitem> + + <listitem><para>The server must support domain logons + and a <filename>[netlogon]</filename> share</para></listitem> + + <listitem><para>The server must be the domain master browser + in order for Windows client to locate the server as a DC.</para> + </listitem> +</itemizedlist> + +<para> +As Samba 2.2 does not offer a complete implementation of group mapping between +Windows NT groups and UNIX groups (this is really quite complicated to explain +in a short space), you should refer to the <ulink url="smb.conf.5.html#DOMAINADMONUSERS">domain +admin users</ulink> and <ulink url="smb.conf.5.html#DOMAINADMINGROUP">domain +admin group</ulink> smb.conf parameters for information of creating a Domain Admins +style accounts. +</para> + +</sect1> + + +<sect1> +<title>Creating Machine Trust Accounts and Joining Clients +to the Domain</title> + +<para> +First you must understand what a machine trust account is and what +it is used for. +</para> + +<para> +A machine trust account is a user account owned by a computer. +The account password acts as the shared secret for secure +communication with the Domain Controller. Hence the reason that +a Windows 9x host is never a true member of a domain because +it does not posses a machine trust account and thus has no shared +secret with the DC. +</para> + +<para> +On a Windows NT PDC, these machine trust account passwords are stored +in the registry. A Samba PDC stores these accounts in he same location +as user LanMan and NT password hashes (currently <filename>smbpasswd</filename>). +However, machine trust accounts only possess the NT password hash. +</para> + +<para> +There are two means of creating machine trust accounts. +</para> + +<itemizedlist> + <listitem><para>Manual creation before joining the client + to the domain. In this case, the password is set to a known + value -- the lower case of the machine's netbios name.</para></listitem> + + <listitem><para>Creation of the account at the time of + joining the domain. In this case, the session key of the + administrative account used to join the client to the domain acts + as an encryption key for setting the password to a random value.</para> + </listitem> +</itemizedlist> + +<para> +Because Samba requires machine accounts to possess a UNIX uid from +which an Windows NT SID can be generated, all of these accounts +will have an entry in <filename>/etc/passwd</filename> and smbpasswd. +Future releases will alleviate the need to create +<filename>/etc/passwd</filename> entries. +</para> + + +<para> +The <filename>/etc/passwd</filename> entry will list the machine name +with a $ appended, won't have a passwd, will have a null shell and no +home directory. For example a machine called 'doppy' would have an +<filename>/etc/passwd</filename> entry like this : +</para> + +<para><programlisting> +doppy$:x:505:501:NTMachine:/dev/null:/bin/false +</programlisting></para> + +<para> +If you are manually creating the machine accounts, it is necessary +to add the <filename>/etc/passwd</filename> (or NIS passwd +map) entry prior to adding the <filename>smbpasswd</filename> +entry. The following command will create a new machine account +ready for use. +</para> + +<para> +<prompt>root# </prompt> smbpasswd -a -m <replaceable>machine_name</replaceable> +</para> + +<para> +where <replaceable>machine_name</replaceable> is the machine's netbios +name. +</para> + +<para> +<emphasis>If you manually create a machine account, immediately join +the client to the domain.</emphasis> An open account like this +can allow intruders to gain access to user account information +in your domain. +</para> + +<para> +The second way of creating machine trust accounts is to add +them on the fly at the time the client is joined to the domain. +You will need to include a value for the +<ulink url="smb.conf.5.html#ADDUSERSCRIPT">add user script</ulink> +parameter. Below is an example I use on a RedHat 6.2 Linux system. +</para> + +<para><programlisting> +add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u +</programlisting></para> + +<para> +In Samba 2.2.0, <emphasis>only the root account</emphasis> can be used to create +machine accounts on the fly like this. Therefore, it is required +to create an entry in smbpasswd for <emphasis>root</emphasis>. +The password <emphasis>SHOULD</emphasis> be set to s different +password that the associated <filename>/etc/passwd</filename> +entry for security reasons. +</para> +</sect1> + +<!-- ********************************************************** + + Common Problems + +*************************************************************** --> + +<sect1> +<title>Common Problems and Errors</title> + +<para> +</para> + +<para> +<emphasis>I cannot include a '$' in a machine name.</emphasis> +</para> + +<para> +A 'machine name' in (typically) <filename>/etc/passwd</> +of the machine name with a '$' appended. FreeBSD (and other BSD +systems ?) won't create a user with a '$' in their name. +</para> + +<para> +The problem is only in the program used to make the entry, once +made, it works perfectly. So create a user without the '$' and +use <command>vipw</> to edit the entry, adding the '$'. Or create +the whole entry with vipw if you like, make sure you use a +unique uid ! +</para> + + +<para> +<emphasis>I get told "You already have a connection to the Domain...." +when creating a machine account.</emphasis> +</para> + +<para> +This happens if you try to create a machine account from the +machine itself and use a user name that does not work (for whatever +reason) and then try another (possibly valid) user name. +Exit out of the network applet to close the initial connection +and try again. +</para> + +<para> +Further, if the machine is a already a 'member of a workgroup' that +is the same name as the domain you are joining (bad idea) you will +get this message. Change the workgroup name to something else, it +does not matter what, reboot, and try again. +</para> + +<para> +<emphasis>I get told "Cannot join domain, the credentials supplied +conflict with an existing set.."</emphasis> +</para> + +<para> +This is the same basic problem as mentioned above, "You already +have a connection..." +</para> + +<para> +<emphasis> +"The system can not log you on (C000019B)...."</emphasis> +</para> + +<para>I joined the domain successfully but after upgrading +to a newer version of the Samba code I get the message, "The system +can not log you on (C000019B), Please try a gain or consult your +system administrator" when attempting to logon. +</para> + +<para> +This occurs when the domain SID stored in +<filename>private/WORKGROUP.SID</filename> is +changed. For example, you remove the file and <command>smbd</command> automatically +creates a new one. Or you are swapping back and forth between +versions 2.0.7, TNG and the HEAD branch code (not recommended). The +only way to correct the problem is to restore the original domain +SID or remove the domain client from the domain and rejoin. +</para> + + +<para> +<emphasis>"The machine account for this computer either does not +exist or is not accessible."</emphasis> +</para> + +<para> +When I try to join the domain I get the message "The machine account +for this computer either does not exist or is not accessible". Whats +wrong ? +</para> + +<para> +This problem is caused by the PDC not having a suitable machine account. +If you are using the <command>add user script =</> method to create +accounts then this would indicate that it has not worked. Ensure the domain +admin user system is working. +</para> + +<para> +Alternatively if you are creating account entries manually then they +have not been created correctly. Make sure that you have the entry +correct for the machine account in smbpasswd file on the Samba PDC. +If you added the account using an editor rather than using the smbpasswd +utility, make sure that the account name is the machine netbios name +with a '$' appended to it ( ie. computer_name$ ). There must be an entry +in both /etc/passwd and the smbpasswd file. Some people have reported +that inconsistent subnet masks between the Samba server and the NT +client have caused this problem. Make sure that these are consistent +for both client and server. +</para> + +</sect1> + + + +<!-- ********************************************************** + + Policies and Profiles + +*************************************************************** --> + +<sect1> +<title> +System Policies and Profiles +</title> + +<para> +Much of the information necessary to implement System Policies and +Roving User Profiles in a Samba domain is the same as that for +implementing these same items in a Windows NT 4.0 domain. +You should read the white paper <ulink url="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp">Implementing +Profiles and Policies in Windows NT 4.0</ulink> available from Microsoft. +</para> + +<para> +Here are some additional details: +</para> + +<para> +<emphasis>What about Windows NT Policy Editor ?</emphasis> +</para> + +<para> +To create or edit <filename>ntconfig.pol</filename> you must use +the NT Server Policy Editor, <command>poledit.exe</command> which +is included with NT Server but <emphasis>not NT Workstation</emphasis>. +There is a Policy Editor on a NTws +but it is not suitable for creating <emphasis>Domain Policies</emphasis>. +Further, although the Windows 95 +Policy Editor can be installed on an NT Workstation/Server, it will not +work with NT policies because the registry key that are set by the policy templates. +However, the files from the NT Server will run happily enough on an NTws. +You need <filename>poledit.exe, common.adm</> and <filename>winnt.adm</>. It is convenient +to put the two *.adm files in <filename>c:\winnt\inf</> which is where +the binary will look for them unless told otherwise. Note also that that +directory is 'hidden'. +</para> + +<para>The Windows NT policy editor is also included with the +Service Pack 3 (and later) for Windows NT 4.0. Extract the files using +<command>servicepackname /x</command>, ie thats <command>Nt4sp6ai.exe +/x</command> for service pack 6a. The policy editor, <command>poledit.exe</command> and the +associated template files (*.adm) should +be extracted as well. It is also possible to downloaded the policy template +files for Office97 and get a copy of the policy editor. Another possible +location is with the Zero Administration Kit available for download from Microsoft. +</para> + + +<para> +<emphasis>Can Win95 do Policies ?</emphasis> +</para> + +<para> +Install the group policy handler for Win9x to pick up group +policies. Look on the Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>. +Install group policies on a Win9x client by double-clicking +<filename>grouppol.inf</filename>. Log off and on again a couple of +times and see if Win98 picks up group policies. Unfortunately this needs +to be done on every Win9x machine that uses group policies.... +</para> + +<para> +If group policies don't work one reports suggests getting the updated +(read: working) grouppol.dll for Windows 9x. The group list is grabbed +from /etc/group. +</para> + +<para> +<emphasis>How do I get 'User Manager' and 'Server Manager'</emphasis> +</para> + +<para> +Since I don't need to buy an NT Server CD now, how do I get +the 'User Manager for Domains', the 'Server Manager' ? +</para> + +<para> +Microsoft distributes a version of +these tools called nexus for installation on Windows 95 systems. The +tools set includes +</para> + +<itemizedlist> + <listitem><para>Server Manager</para></listitem> + + <listitem><para>User Manager for Domains</para></listitem> + + <listitem><para>Event Viewer</para></listitem> +</itemizedlist> + +<para> +Click here to download the archived file <ulink +url="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</ulink> +</para> + +<para> +The Windows NT 4.0 version of the 'User Manager for +Domains' and 'Server Manager' are available from Microsoft via ftp +from <ulink url="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE">ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</ulink> +</para> + +</sect1> + + + +<!-- ********************************************************** + + Getting Help + +*************************************************************** --> + + +<sect1> +<title>What other help can I get ? </title> + +<para> +There are many sources of information available in the form +of mailing lists, RFC's and documentation. The docs that come +with the samba distribution contain very good explanations of +general SMB topics such as browsing.</para> + +<para> +<emphasis>What are some diagnostics tools I can use to debug the domain logon +process and where can I find them?</emphasis> +</para> + + <para> + One of the best diagnostic tools for debugging problems is Samba itself. + You can use the -d option for both smbd and nmbd to specifiy what + 'debug level' at which to run. See the man pages on smbd, nmbd and + smb.conf for more information on debugging options. The debug + level can range from 1 (the default) to 10 (100 for debugging passwords). + </para> + + <para> + Another helpful method of debugging is to compile samba using the + <command>gcc -g </command> flag. This will include debug + information in the binaries and allow you to attach gdb to the + running smbd / nmbd process. In order to attach gdb to an smbd + process for an NT workstation, first get the workstation to make the + connection. Pressing ctrl-alt-delete and going down to the domain box + is sufficient (at least, on the first time you join the domain) to + generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation + maintains an open connection, and therefore there will be an smbd + process running (assuming that you haven't set a really short smbd + idle timeout) So, in between pressing ctrl alt delete, and actually + typing in your password, you can gdb attach and continue. + </para> + + <para> + Some useful samba commands worth investigating: + </para> + + <itemizedlist> + <listitem><para>testparam | more</para></listitem> + <listitem><para>smbclient -L //{netbios name of server}</para></listitem> + </itemizedlist> + + <para> + An SMB enabled version of tcpdump is available from + <ulink url="http://www.tcpdump.org/">http://www.tcpdup.org/</ulink>. + Ethereal, another good packet sniffer for UNIX and Win32 + hosts, can be downloaded from <ulink + url="http://www.ethereal.com/">http://www.ethereal.com</ulink>. + </para> + + <para> + For tracing things on the Microsoft Windows NT, Network Monitor + (aka. netmon) is available on the Microsoft Developer Network CD's, + the Windows NT Server install CD and the SMS CD's. The version of + netmon that ships with SMS allows for dumping packets between any two + computers (ie. placing the network interface in promiscuous mode). + The version on the NT Server install CD will only allow monitoring + of network traffic directed to the local NT box and broadcasts on the + local subnet. Be aware that Ethereal can read and write netmon + formatted files. + </para> + +<para> +<emphasis>How do I install 'Network Monitor' on an NT Workstation +or a Windows 9x box?</emphasis> +</para> + <para> + Installing netmon on an NT workstation requires a couple + of steps. The following are for installing Netmon V4.00.349, which comes + with Microsoft Windows NT Server 4.0, on Microsoft Windows NT + Workstation 4.0. The process should be similar for other version of + Windows NT / Netmon. You will need both the Microsoft Windows + NT Server 4.0 Install CD and the Workstation 4.0 Install CD. + </para> + + <para> + Initially you will need to install 'Network Monitor Tools and Agent' + on the NT Server. To do this + </para> + + <itemizedlist> + <listitem><para>Goto Start - Settings - Control Panel - + Network - Services - Add </para></listitem> + + <listitem><para>Select the 'Network Monitor Tools and Agent' and + click on 'OK'.</para></listitem> + + <listitem><para>Click 'OK' on the Network Control Panel. + </para></listitem> + + <listitem><para>Insert the Windows NT Server 4.0 install CD + when prompted.</para></listitem> + </itemizedlist> + + <para> + At this point the Netmon files should exist in + <filename>%SYSTEMROOT%\System32\netmon\*.*</filename>. + Two subdirectories exist as well, <filename>parsers\</filename> + which contains the necessary DLL's for parsing the netmon packet + dump, and <filename>captures\</filename>. + </para> + + <para> + In order to install the Netmon tools on an NT Workstation, you will + first need to install the 'Network Monitor Agent' from the Workstation + install CD. + </para> + + <itemizedlist> + <listitem><para>Goto Start - Settings - Control Panel - + Network - Services - Add</para></listitem> + + <listitem><para>Select the 'Network Monitor Agent' and click + on 'OK'.</para></listitem> + + <listitem><para>Click 'OK' on the Network Control Panel. + </para></listitem> + + <listitem><para>Insert the Windows NT Workstation 4.0 install + CD when prompted.</para></listitem> + </itemizedlist> + + + <para> + Now copy the files from the NT Server in %SYSTEMROOT%\System32\netmon\*.* + to %SYSTEMROOT%\System32\netmon\*.* on the Workstation and set + permissions as you deem appropriate for your site. You will need + administrative rights on the NT box to run netmon. + </para> + + <para> + To install Netmon on a Windows 9x box install the network monitor agent + from the Windows 9x CD (\admin\nettools\netmon). There is a readme + file located with the netmon driver files on the CD if you need + information on how to do this. Copy the files from a working + Netmon installation. + </para> + +<sect2> +<title>URLs and similar</title> + + +<itemizedlist> + + <listitem><para>Home of Samba site <ulink url="http://samba.org"> + http://samba.org</ulink>. We have a mirror near you !</para></listitem> + + <listitem><para> The <emphasis>Development</emphasis> document + on the Samba mirrors might mention your problem. If so, + it might mean that the developers are working on it.</para></listitem> + + <listitem><para>See how Scott Merrill simulates a BDC behavior at + <ulink url="http://www.skippy.net/linux/smb-howto.html"> + http://www.skippy.net/linux/smb-howto.html</>. </para></listitem> + + <listitem><para>Although 2.0.7 has almost had its day as a PDC, David Bannon will + keep the 2.0.7 PDC pages at <ulink url="http://bioserve.latrobe.edu.au/samba"> + http://bioserve.latrobe.edu.au/samba</ulink> going for a while yet.</para></listitem> + + <listitem><para>Misc links to CIFS information + <ulink url="http://samba.org/cifs/">http://samba.org/cifs/</ulink></para></listitem> + + <listitem><para>NT Domains for Unix <ulink url="http://mailhost.cb1.com/~lkcl/ntdom/"> + http://mailhost.cb1.com/~lkcl/ntdom/</ulink></para></listitem> + + <listitem><para>FTP site for older SMB specs: + <ulink url="ftp://ftp.microsoft.com/developr/drg/CIFS/"> + ftp://ftp.microsoft.com/developr/drg/CIFS/</ulink></para></listitem> + +</itemizedlist> + +</sect2> + + +<sect2> +<title>Mailing Lists</title> + +<para> +<emphasis>How do I get help from the mailing lists ?</emphasis> +</para> + +<para> +There are a number of Samba related mailing lists. Go to <ulink +url="http://samba.org">http://samba.org</ulink>, click on your nearest mirror +and then click on <command>Support</> and then click on <command> +Samba related mailing lists</>. +</para> + +<para> +For questions relating to Samba TNG go to +<ulink url="http://www.samba-tng.org/">http://www.samba-tng.org/</ulink> +It has been requested that you don't post questions about Samba-TNG to the +main stream Samba lists.</para> + +<para> +If you post a message to one of the lists please observe the following guide lines : +</para> + +<itemizedlist> + + <listitem><para> Always remember that the developers are volunteers, they are + not paid and they never guarantee to produce a particular feature at + a particular time. Any time lines are 'best guess' and nothing more. + </para></listitem> + + <listitem><para> Always mention what version of samba you are using and what + operating system its running under. You should probably list the + relevant sections of your smb.conf file, at least the options + in [global] that affect PDC support.</para></listitem> + + <listitem><para>In addition to the version, if you obtained Samba via + CVS mention the date when you last checked it out.</para></listitem> + + <listitem><para> Try and make your question clear and brief, lots of long, + convoluted questions get deleted before they are completely read ! + Don't post html encoded messages (if you can select colour or font + size its html).</para></listitem> + + <listitem><para> If you run one of those nifty 'I'm on holidays' things when + you are away, make sure its configured to not answer mailing lists. + </para></listitem> + + <listitem><para> Don't cross post. Work out which is the best list to post to + and see what happens, ie don't post to both samba-ntdom and samba-technical. + Many people active on the lists subscribe to more + than one list and get annoyed to see the same message two or more times. + Often someone will see a message and thinking it would be better dealt + with on another, will forward it on for you.</para></listitem> + + <listitem><para>You might include <emphasis>partial</emphasis> + log files written at a debug level set to as much as 20. + Please don't send the entire log but enough to give the context of the + error messages.</para></listitem> + + <listitem><para>(Possibly) If you have a complete netmon trace ( from the opening of + the pipe to the error ) you can send the *.CAP file as well.</para></listitem> + + <listitem><para>Please think carefully before attaching a document to an email. + Consider pasting the relevant parts into the body of the message. The samba + mailing lists go to a huge number of people, do they all need a copy of your + smb.conf in their attach directory ?</para></listitem> + +</itemizedlist> + + +<para> +<emphasis>How do I get off the mailing lists ?</emphasis> +</para> + + <para>To have your name removed from a samba mailing list, go to the + same place you went to to get on it. Go to <ulink url= + "http://lists.samba.org/">http://lists.samba.org</ulink>, click + on your nearest mirror and then click on <command>Support</> and + then click on <command> Samba related mailing lists</>. Or perhaps see + <ulink url="http://lists.samba.org/mailman/roster/samba-ntdom">here</ulink></para> + + <para> + Please don't post messages to the list asking to be removed, you will just + be referred to the above address (unless that process failed in some way...) + </para> +</sect2> +</sect1> + + + + +<!-- ********************************************************** + + Appendix - DOMAIN_CONTROL.txt + +*************************************************************** --> + +<sect1> +<title> +DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba +</title> + +<para> +This appendix was originally authored by John H Terpstra of the Samba Team +and is included here for posterity. +</para> + + +<para> +<emphasis>NOTE :</emphasis> +The term "Domain Controller" and those related to it refer to one specific +method of authentication that can underly an SMB domain. Domain Controllers +prior to Windows NT Server 3.1 were sold by various companies and based on +private extensions to the LAN Manager 2.1 protocol. Windows NT introduced +Microsoft-specific ways of distributing the user authentication database. +See DOMAIN.txt for examples of how Samba can participate in or create +SMB domains based on shared authentication database schemes other than the +Windows NT SAM. +</para> + +<para> +Windows NT Server can be installed as either a plain file and print server +(WORKGROUP workstation or server) or as a server that participates in Domain +Control (DOMAIN member, Primary Domain controller or Backup Domain controller). +</para> + +<para> +The same is true for OS/2 Warp Server, Digital Pathworks and other similar +products, all of which can participate in Domain Control along with Windows NT. +However only those servers which have licensed Windows NT code in them can be +a primary Domain Controller (eg Windows NT Server, Advanced Server for Unix.) +</para> + +<para> +To many people these terms can be confusing, so let's try to clear the air. +</para> + +<para> +Every Windows NT system (workstation or server) has a registry database. +The registry contains entries that describe the initialization information +for all services (the equivalent of Unix Daemons) that run within the Windows +NT environment. The registry also contains entries that tell application +software where to find dynamically loadable libraries that they depend upon. +In fact, the registry contains entries that describes everything that anything +may need to know to interact with the rest of the system. +</para> + +<para> +The registry files can be located on any Windows NT machine by opening a +command prompt and typing: +</para> + +<para> +<prompt>C:\WINNT\></prompt> dir %SystemRoot%\System32\config +</para> + +<para> +The environment variable %SystemRoot% value can be obtained by typing: +</para> + +<para> +<prompt>C:\WINNT></prompt>echo %SystemRoot% +</para> + +<para> +The active parts of the registry that you may want to be familiar with are +the files called: default, system, software, sam and security. +</para> + +<para> +In a domain environment, Microsoft Windows NT domain controllers participate +in replication of the SAM and SECURITY files so that all controllers within +the domain have an exactly identical copy of each. +</para> + +<para> +The Microsoft Windows NT system is structured within a security model that +says that all applications and services must authenticate themselves before +they can obtain permission from the security manager to do what they set out +to do. +</para> + +<para> +The Windows NT User database also resides within the registry. This part of +the registry contains the user's security identifier, home directory, group +memberships, desktop profile, and so on. +</para> + +<para> +Every Windows NT system (workstation as well as server) will have its own +registry. Windows NT Servers that participate in Domain Security control +have a database that they share in common - thus they do NOT own an +independent full registry database of their own, as do Workstations and +plain Servers. +</para> + +<para> +The User database is called the SAM (Security Access Manager) database and +is used for all user authentication as well as for authentication of inter- +process authentication (ie: to ensure that the service action a user has +requested is permitted within the limits of that user's privileges). +</para> + +<para> +The Samba team have produced a utility that can dump the Windows NT SAM into +smbpasswd format: see ENCRYPTION.txt for information on smbpasswd and +/pub/samba/pwdump on your nearest Samba mirror for the utility. This +facility is useful but cannot be easily used to implement SAM replication +to Samba systems. +</para> + +<para> +Windows for Workgroups, Windows 95, and Windows NT Workstations and Servers +can participate in a Domain security system that is controlled by Windows NT +servers that have been correctly configured. At most every domain will have +ONE Primary Domain Controller (PDC). It is desirable that each domain will +have at least one Backup Domain Controller (BDC). +</para> + +<para> +The PDC and BDCs then participate in replication of the SAM database so that +each Domain Controlling participant will have an up to date SAM component +within its registry. +</para> + +</sect1> + +</chapter> |