diff options
Diffstat (limited to 'docs/docbook/projdoc/Samba-PDC-HOWTO.xml')
-rw-r--r-- | docs/docbook/projdoc/Samba-PDC-HOWTO.xml | 455 |
1 files changed, 239 insertions, 216 deletions
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml index 0189b59f2e..9bbcb134b4 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml @@ -14,13 +14,7 @@ <pubdate> (26 Apr 2001) </pubdate> </chapterinfo> -<title> -Samba as an NT4 or Win2k Primary Domain Controller -</title> - - -<sect1> -<title>Prerequisite Reading</title> +<title>Domain Control</title> <para> Before you continue reading in this chapter, please make sure @@ -30,16 +24,61 @@ encryption in Samba. Theses two topics are covered in the &smb.conf; manpage. </para> - -</sect1> - - - <sect1> <title> Background </title> +<sect2> +<title>Domain Controller</title> + +<para> +Over the years public perceptions of what Domain Control really is has taken on an +almost mystical nature. Before we branch into a brief overview of what Domain Control +is the following types of controller are known: +</para> + +<sect3> +<title>Domain Controller Types</title> + +<simplelist> + <member>Primary Domain Controller</member> + <member>Backup Domain Controller</member> + <member>ADS Domain Controller</member> +</simplelist> + +<para> +The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS +Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many +expect. The PDC seeds the Domain Control database (a part of the Windows registry) and +it plays a key part in synchronisation of the domain authentication database. +</para> + +<para> +New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as +the NT4 style SAM (Security Account Manager) database (one of the registry files). +The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and +valid options include <emphasis> smbpasswd tdbsam ldapsam nisplussam plugin unixsam</emphasis>. +The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix +Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux +system accounts, provided a uid range is defined from which SAM accounts can be created. +</para> + +<para> +The <emphasis>Backup Domain Controller</emphasis> or BDC plays a key role in servicing network +authentication requests. The BDC is biased to answer logon requests so that on a network segment +that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will +answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to +a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is +automatically demoted to a BDC. +</para> + +<para> +At this time Samba is NOT capable of acting as an <emphasis>ADS Domain Controller</emphasis>. +</para> +</sect3> +</sect2> + <para> This article outlines the steps necessary for configuring Samba as a PDC. It is necessary to have a working Samba server prior to implementing the @@ -140,22 +179,19 @@ steps. </orderedlist> <para> -There are other minor details such as user profiles, system -policies, etc... However, these are not necessarily specific -to a Samba PDC as much as they are related to Windows NT networking -concepts. +There are other minor details such as user profiles, system policies, etc... +However, these are not necessarily specific to a Samba PDC as much as they are +related to Windows NT networking concepts. </para> </sect1> - <sect1> -<title>Configuring the Samba Domain Controller</title> +<title>Configuring Samba NT4 Style Domain Control</title> <para> -The first step in creating a working Samba PDC is to -understand the parameters necessary in smb.conf. Here we -attempt to explain the parameters that are covered in +The first step in creating a working Samba PDC is to understand the parameters necessary +in &smb.conf;. Here we attempt to explain the parameters that are covered in the &smb.conf; man page. </para> @@ -164,54 +200,53 @@ Here is an example &smb.conf; for acting as a PDC: </para> <para><programlisting> -[global] - ; Basic server settings - <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable> - <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable> - - ; User and Machine Account Backends - ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ... - ; mysqlsam, xmlsam, guest - <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest - - ; we should act as the domain and local master browser - <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64 - <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes - <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes - <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes - - ; security settings (must user security = user) - <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user - - ; encrypted passwords are a requirement for a PDC - <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes - - ; support domain logons - <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes - - ; where to store user profiles? - <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u - - ; where is a user's home directory and where should it be mounted at? - <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H: - <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u - - ; specify a generic logon script for all users - ; this is a relative **DOS** path to the [netlogon] share - <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd - -; necessary share for domain controller -[netlogon] - <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon - <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes - <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable> - -; share for storing user profiles -[profiles] - <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile - <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no - <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600 - <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 + [global] + ; Basic server settings + <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable> + <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable> + + ; User and Machine Account Backends + ; Choices are: tdbsam, smbpasswd, ldapsam, mysqlsam, xmlsam, guest + <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest + + ; we should act as the domain and local master browser + <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64 + <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes + <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes + <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes + + ; security settings (must user security = user) + <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user + + ; encrypted passwords are a requirement for a PDC + <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes + + ; support domain logons + <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes + + ; where to store user profiles? + <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u + + ; where is a user's home directory and where should it be mounted at? + <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H: + <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u + + ; specify a generic logon script for all users + ; this is a relative **DOS** path to the [netlogon] share + <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd + + ; necessary share for domain controller + [netlogon] + <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes + <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable> + + ; share for storing user profiles + [profiles] + <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile + <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no + <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600 + <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700 </programlisting></para> <note><para> @@ -257,10 +292,7 @@ between Windows NT groups and Unix groups (this is really quite complicated to explain in a short space). </para> -</sect1> - - -<sect1> +<sect2> <title>Creating Machine Trust Accounts and Joining Clients to the Domain</title> <para> @@ -281,8 +313,13 @@ because it does not possess a machine trust account, and thus has no shared secret with the domain controller. </para> -<para>A Windows PDC stores each machine trust account in the Windows -Registry. A Samba-3 PDC also has to store machine trust account information +<para>A Windows NT4 PDC stores each machine trust account in the Windows +Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, +the new repository for machine trust accounts. +</para> + +<para> +A Samba-3 PDC also has to store machine trust account information in a suitable backend data store. With Samba-3 there can be multiple back-ends for this including: </para> @@ -297,13 +334,6 @@ for this including: </para></listitem> <listitem><para> - <emphasis>smbpasswd_nua</emphasis> - This file is independant of the - system wide user accounts. The use of this back-end option requires - specification of the "non unix account range" option also. It is called - smbpasswd and will be located in the <filename>private</filename> directory. - </para></listitem> - - <listitem><para> <emphasis>tdbsam</emphasis> - a binary database backend that will be stored in the <emphasis>private</emphasis> directory in a file called <emphasis>passwd.tdb</emphasis>. The key benefit of this binary format @@ -312,22 +342,9 @@ for this including: </para></listitem> <listitem><para> - <emphasis>tdbsam_nua</emphasis> like the smbpasswd_nua option above, this - file allows the creation of arbitrary user and machine accounts without - requiring that account to be added to the system (/etc/passwd) file. It - too requires the specification of the "non unix account range" option - in the [globals] section of the &smb.conf; file. - </para></listitem> - - <listitem><para> <emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com </para></listitem> - - <listitem><para> - <emphasis>ldapsam_nua</emphasis> - LDAP based back-end with no unix - account requirement, like smbpasswd_nua and tdbsam_nua above. - </para></listitem> </itemizedlist> <para>Read the chapter about the <link linkend="passdb">User Database</link> @@ -346,9 +363,8 @@ as follows: <itemizedlist> <listitem><para>A Samba account, stored in the same location as user - LanMan and NT password hashes (currently - <filename>smbpasswd</filename>). The Samba account - possesses and uses only the NT password hash.</para></listitem> + LanMan and NT password hashes (currently <filename>smbpasswd</filename>). + The Samba account possesses and uses only the NT password hash.</para></listitem> <listitem><para>A corresponding Unix account, typically stored in <filename>/etc/passwd</filename>. (Future releases will alleviate the need to @@ -373,7 +389,7 @@ There are two ways to create machine trust accounts: </itemizedlist> -<sect2> +<sect3> <title>Manual Creation of Machine Trust Accounts</title> <para> @@ -452,10 +468,10 @@ the corresponding Unix account. information to such clients. You have been warned! </para> </warning> -</sect2> +</sect3> -<sect2> +<sect3> <title>"On-the-Fly" Creation of Machine Trust Accounts</title> <para> @@ -482,10 +498,10 @@ be created manually. add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u </programlisting></para> -</sect2> +</sect3> -<sect2><title>Joining the Client to the Domain</title> +<sect3><title>Joining the Client to the Domain</title> <para> The procedure for joining a client to the domain varies with the @@ -535,122 +551,17 @@ version of Windows. </para></listitem> </itemizedlist> +</sect3> </sect2> </sect1> <sect1> -<title>Common Problems and Errors</title> - -<sect2> -<title>I cannot include a '$' in a machine name</title> -<para> -A 'machine name' in (typically) <filename>/etc/passwd</filename> -of the machine name with a '$' appended. FreeBSD (and other BSD -systems?) won't create a user with a '$' in their name. -</para> - -<para> -The problem is only in the program used to make the entry. Once made, it works perfectly. -Create a user without the '$' using <command>vipw</command> to edit the entry, adding -the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID! -</para> -</sect2> - -<sect2> -<title>I get told "You already have a connection to the Domain...." -or "Cannot join domain, the credentials supplied conflict with an -existing set.." when creating a machine trust account.</title> - -<para> -This happens if you try to create a machine trust account from the -machine itself and already have a connection (e.g. mapped drive) -to a share (or IPC$) on the Samba PDC. The following command -will remove all network drive connections: -</para> +<title>Samba ADS Domain Control</title> <para> -<prompt>C:\WINNT\></prompt> <command>net use * /d</command> +Not yet Freddie! </para> -<para> -Further, if the machine is already a 'member of a workgroup' that -is the same name as the domain you are joining (bad idea) you will -get this message. Change the workgroup name to something else, it -does not matter what, reboot, and try again. -</para> -</sect2> - -<sect2> -<title>The system can not log you on (C000019B)....</title> - -<para>I joined the domain successfully but after upgrading -to a newer version of the Samba code I get the message, "The system -can not log you on (C000019B), Please try again or consult your -system administrator" when attempting to logon. -</para> - -<para> -This occurs when the domain SID stored in the secrets.tdb database -is changed. The most common cause of a change in domain SID is when -the domain name and/or the server name (netbios name) is changed. -The only way to correct the problem is to restore the original domain -SID or remove the domain client from the domain and rejoin. The domain -SID may be reset using either the net or rpcclient utilities. -</para> - -<para> -The reset or change the domain SID you can use the net command as follows: - -<programlisting> - net getlocalsid 'OLDNAME' - net setlocalsid 'SID' -</programlisting> -</para> - -</sect2> - -<sect2> -<title>The machine trust account for this computer either does not -exist or is not accessible.</title> - -<para> -When I try to join the domain I get the message "The machine account -for this computer either does not exist or is not accessible". What's -wrong? -</para> - -<para> -This problem is caused by the PDC not having a suitable machine trust account. -If you are using the <parameter>add machine script</parameter> method to create -accounts then this would indicate that it has not worked. Ensure the domain -admin user system is working. -</para> - -<para> -Alternatively if you are creating account entries manually then they -have not been created correctly. Make sure that you have the entry -correct for the machine trust account in smbpasswd file on the Samba PDC. -If you added the account using an editor rather than using the smbpasswd -utility, make sure that the account name is the machine NetBIOS name -with a '$' appended to it ( i.e. computer_name$ ). There must be an entry -in both /etc/passwd and the smbpasswd file. Some people have reported -that inconsistent subnet masks between the Samba server and the NT -client have caused this problem. Make sure that these are consistent -for both client and server. -</para> -</sect2> - -<sect2> -<title>When I attempt to login to a Samba Domain from a NT4/W2K workstation, -I get a message about my account being disabled.</title> - -<para> -At first be ensure to enable the useraccounts with <command>smbpasswd -e -%user%</command>, this is normally done, when you create an account. -</para> - -</sect2> - </sect1> <sect1> @@ -767,11 +678,10 @@ worthwhile to look at how a Windows 9x/ME client performs a logon: <sect2> -<title>Configuration Instructions: Network Logons</title> +<title>Configuring Network Logon Capability</title> <para> -The main difference between a PDC and a Windows 9x logon -server configuration is that +The main difference between a PDC and a Windows 9x logon server configuration is that </para> <itemizedlist> @@ -787,8 +697,7 @@ Windows 9x/ME clients do not possess machine trust accounts. </itemizedlist> <para> -Therefore, a Samba PDC will also act as a Windows 9x logon -server. +Therefore, a Samba PDC will also act as a Windows 9x logon server. </para> @@ -839,4 +748,118 @@ for its domain. </sect2> </sect1> + +<sect1> +<title>Common Problems and Errors</title> + +<sect2> +<title>I cannot include a '$' in a machine name</title> +<para> +A 'machine name' in (typically) <filename>/etc/passwd</filename> +of the machine name with a '$' appended. FreeBSD (and other BSD +systems?) won't create a user with a '$' in their name. +</para> + +<para> +The problem is only in the program used to make the entry. Once made, it works perfectly. +Create a user without the '$' using <command>vipw</command> to edit the entry, adding +the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID! +</para> +</sect2> + +<sect2> +<title>I get told "You already have a connection to the Domain...." +or "Cannot join domain, the credentials supplied conflict with an +existing set.." when creating a machine trust account.</title> + +<para> +This happens if you try to create a machine trust account from the +machine itself and already have a connection (e.g. mapped drive) +to a share (or IPC$) on the Samba PDC. The following command +will remove all network drive connections: +</para> + +<para> +<prompt>C:\WINNT\></prompt> <command>net use * /d</command> +</para> + +<para> +Further, if the machine is already a 'member of a workgroup' that +is the same name as the domain you are joining (bad idea) you will +get this message. Change the workgroup name to something else, it +does not matter what, reboot, and try again. +</para> +</sect2> + +<sect2> +<title>The system can not log you on (C000019B)....</title> + +<para>I joined the domain successfully but after upgrading +to a newer version of the Samba code I get the message, "The system +can not log you on (C000019B), Please try again or consult your +system administrator" when attempting to logon. +</para> + +<para> +This occurs when the domain SID stored in the secrets.tdb database +is changed. The most common cause of a change in domain SID is when +the domain name and/or the server name (netbios name) is changed. +The only way to correct the problem is to restore the original domain +SID or remove the domain client from the domain and rejoin. The domain +SID may be reset using either the net or rpcclient utilities. +</para> + +<para> +The reset or change the domain SID you can use the net command as follows: + +<programlisting> + net getlocalsid 'OLDNAME' + net setlocalsid 'SID' +</programlisting> +</para> + +</sect2> + +<sect2> +<title>The machine trust account for this computer either does not +exist or is not accessible.</title> + +<para> +When I try to join the domain I get the message "The machine account +for this computer either does not exist or is not accessible". What's +wrong? +</para> + +<para> +This problem is caused by the PDC not having a suitable machine trust account. +If you are using the <parameter>add machine script</parameter> method to create +accounts then this would indicate that it has not worked. Ensure the domain +admin user system is working. +</para> + +<para> +Alternatively if you are creating account entries manually then they +have not been created correctly. Make sure that you have the entry +correct for the machine trust account in smbpasswd file on the Samba PDC. +If you added the account using an editor rather than using the smbpasswd +utility, make sure that the account name is the machine NetBIOS name +with a '$' appended to it ( i.e. computer_name$ ). There must be an entry +in both /etc/passwd and the smbpasswd file. Some people have reported +that inconsistent subnet masks between the Samba server and the NT +client have caused this problem. Make sure that these are consistent +for both client and server. +</para> +</sect2> + +<sect2> +<title>When I attempt to login to a Samba Domain from a NT4/W2K workstation, +I get a message about my account being disabled.</title> + +<para> +At first be ensure to enable the useraccounts with <command>smbpasswd -e +%user%</command>, this is normally done, when you create an account. +</para> + +</sect2> +</sect1> </chapter> |