summaryrefslogtreecommitdiff
path: root/docs/docbook/projdoc/Samba-PDC-HOWTO.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/projdoc/Samba-PDC-HOWTO.xml')
-rw-r--r--docs/docbook/projdoc/Samba-PDC-HOWTO.xml455
1 files changed, 239 insertions, 216 deletions
diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml
index 0189b59f2e..9bbcb134b4 100644
--- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml
+++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml
@@ -14,13 +14,7 @@
<pubdate> (26 Apr 2001) </pubdate>
</chapterinfo>
-<title>
-Samba as an NT4 or Win2k Primary Domain Controller
-</title>
-
-
-<sect1>
-<title>Prerequisite Reading</title>
+<title>Domain Control</title>
<para>
Before you continue reading in this chapter, please make sure
@@ -30,16 +24,61 @@ encryption in Samba. Theses two topics are covered in the
&smb.conf; manpage.
</para>
-
-</sect1>
-
-
-
<sect1>
<title>
Background
</title>
+<sect2>
+<title>Domain Controller</title>
+
+<para>
+Over the years public perceptions of what Domain Control really is has taken on an
+almost mystical nature. Before we branch into a brief overview of what Domain Control
+is the following types of controller are known:
+</para>
+
+<sect3>
+<title>Domain Controller Types</title>
+
+<simplelist>
+ <member>Primary Domain Controller</member>
+ <member>Backup Domain Controller</member>
+ <member>ADS Domain Controller</member>
+</simplelist>
+
+<para>
+The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS
+Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many
+expect. The PDC seeds the Domain Control database (a part of the Windows registry) and
+it plays a key part in synchronisation of the domain authentication database.
+</para>
+
+<para>
+New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as
+the NT4 style SAM (Security Account Manager) database (one of the registry files).
+The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and
+valid options include <emphasis> smbpasswd tdbsam ldapsam nisplussam plugin unixsam</emphasis>.
+The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix
+Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux
+system accounts, provided a uid range is defined from which SAM accounts can be created.
+</para>
+
+<para>
+The <emphasis>Backup Domain Controller</emphasis> or BDC plays a key role in servicing network
+authentication requests. The BDC is biased to answer logon requests so that on a network segment
+that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will
+answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to
+a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is
+automatically demoted to a BDC.
+</para>
+
+<para>
+At this time Samba is NOT capable of acting as an <emphasis>ADS Domain Controller</emphasis>.
+</para>
+</sect3>
+</sect2>
+
<para>
This article outlines the steps necessary for configuring Samba as a PDC.
It is necessary to have a working Samba server prior to implementing the
@@ -140,22 +179,19 @@ steps.
</orderedlist>
<para>
-There are other minor details such as user profiles, system
-policies, etc... However, these are not necessarily specific
-to a Samba PDC as much as they are related to Windows NT networking
-concepts.
+There are other minor details such as user profiles, system policies, etc...
+However, these are not necessarily specific to a Samba PDC as much as they are
+related to Windows NT networking concepts.
</para>
</sect1>
-
<sect1>
-<title>Configuring the Samba Domain Controller</title>
+<title>Configuring Samba NT4 Style Domain Control</title>
<para>
-The first step in creating a working Samba PDC is to
-understand the parameters necessary in smb.conf. Here we
-attempt to explain the parameters that are covered in
+The first step in creating a working Samba PDC is to understand the parameters necessary
+in &smb.conf;. Here we attempt to explain the parameters that are covered in
the &smb.conf; man page.
</para>
@@ -164,54 +200,53 @@ Here is an example &smb.conf; for acting as a PDC:
</para>
<para><programlisting>
-[global]
- ; Basic server settings
- <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable>
- <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable>
-
- ; User and Machine Account Backends
- ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ...
- ; mysqlsam, xmlsam, guest
- <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest
-
- ; we should act as the domain and local master browser
- <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64
- <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes
- <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes
- <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes
-
- ; security settings (must user security = user)
- <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user
-
- ; encrypted passwords are a requirement for a PDC
- <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes
-
- ; support domain logons
- <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes
-
- ; where to store user profiles?
- <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u
-
- ; where is a user's home directory and where should it be mounted at?
- <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H:
- <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u
-
- ; specify a generic logon script for all users
- ; this is a relative **DOS** path to the [netlogon] share
- <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd
-
-; necessary share for domain controller
-[netlogon]
- <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon
- <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes
- <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable>
-
-; share for storing user profiles
-[profiles]
- <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile
- <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no
- <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600
- <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700
+ [global]
+ ; Basic server settings
+ <ulink url="smb.conf.5.html#NETBIOSNAME">netbios name</ulink> = <replaceable>POGO</replaceable>
+ <ulink url="smb.conf.5.html#WORKGROUP">workgroup</ulink> = <replaceable>NARNIA</replaceable>
+
+ ; User and Machine Account Backends
+ ; Choices are: tdbsam, smbpasswd, ldapsam, mysqlsam, xmlsam, guest
+ <ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend</ulink> = ldapsam, guest
+
+ ; we should act as the domain and local master browser
+ <ulink url="smb.conf.5.html#OSLEVEL">os level</ulink> = 64
+ <ulink url="smb.conf.5.html#PERFERREDMASTER">preferred master</ulink> = yes
+ <ulink url="smb.conf.5.html#DOMAINMASTER">domain master</ulink> = yes
+ <ulink url="smb.conf.5.html#LOCALMASTER">local master</ulink> = yes
+
+ ; security settings (must user security = user)
+ <ulink url="smb.conf.5.html#SECURITYEQUALSUSER">security</ulink> = user
+
+ ; encrypted passwords are a requirement for a PDC
+ <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt passwords</ulink> = yes
+
+ ; support domain logons
+ <ulink url="smb.conf.5.html#DOMAINLOGONS">domain logons</ulink> = yes
+
+ ; where to store user profiles?
+ <ulink url="smb.conf.5.html#LOGONPATH">logon path</ulink> = \\%N\profiles\%u
+
+ ; where is a user's home directory and where should it be mounted at?
+ <ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H:
+ <ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u
+
+ ; specify a generic logon script for all users
+ ; this is a relative **DOS** path to the [netlogon] share
+ <ulink url="smb.conf.5.html#LOGONSCRIPT">logon script</ulink> = logon.cmd
+
+ ; necessary share for domain controller
+ [netlogon]
+ <ulink url="smb.conf.5.html#PATH">path</ulink> = /usr/local/samba/lib/netlogon
+ <ulink url="smb.conf.5.html#READONLY">read only</ulink> = yes
+ <ulink url="smb.conf.5.html#WRITELIST">write list</ulink> = <replaceable>ntadmin</replaceable>
+
+ ; share for storing user profiles
+ [profiles]
+ <ulink url="smb.conf.5.html#PATH">path</ulink> = /export/smb/ntprofile
+ <ulink url="smb.conf.5.html#READONLY">read only</ulink> = no
+ <ulink url="smb.conf.5.html#CREATEMASK">create mask</ulink> = 0600
+ <ulink url="smb.conf.5.html#DIRECTORYMASK">directory mask</ulink> = 0700
</programlisting></para>
<note><para>
@@ -257,10 +292,7 @@ between Windows NT groups and Unix groups (this is really quite
complicated to explain in a short space).
</para>
-</sect1>
-
-
-<sect1>
+<sect2>
<title>Creating Machine Trust Accounts and Joining Clients to the Domain</title>
<para>
@@ -281,8 +313,13 @@ because it does not possess a machine trust account, and thus has no
shared secret with the domain controller.
</para>
-<para>A Windows PDC stores each machine trust account in the Windows
-Registry. A Samba-3 PDC also has to store machine trust account information
+<para>A Windows NT4 PDC stores each machine trust account in the Windows
+Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory,
+the new repository for machine trust accounts.
+</para>
+
+<para>
+A Samba-3 PDC also has to store machine trust account information
in a suitable backend data store. With Samba-3 there can be multiple back-ends
for this including:
</para>
@@ -297,13 +334,6 @@ for this including:
</para></listitem>
<listitem><para>
- <emphasis>smbpasswd_nua</emphasis> - This file is independant of the
- system wide user accounts. The use of this back-end option requires
- specification of the "non unix account range" option also. It is called
- smbpasswd and will be located in the <filename>private</filename> directory.
- </para></listitem>
-
- <listitem><para>
<emphasis>tdbsam</emphasis> - a binary database backend that will be
stored in the <emphasis>private</emphasis> directory in a file called
<emphasis>passwd.tdb</emphasis>. The key benefit of this binary format
@@ -312,22 +342,9 @@ for this including:
</para></listitem>
<listitem><para>
- <emphasis>tdbsam_nua</emphasis> like the smbpasswd_nua option above, this
- file allows the creation of arbitrary user and machine accounts without
- requiring that account to be added to the system (/etc/passwd) file. It
- too requires the specification of the "non unix account range" option
- in the [globals] section of the &smb.conf; file.
- </para></listitem>
-
- <listitem><para>
<emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the
LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com
</para></listitem>
-
- <listitem><para>
- <emphasis>ldapsam_nua</emphasis> - LDAP based back-end with no unix
- account requirement, like smbpasswd_nua and tdbsam_nua above.
- </para></listitem>
</itemizedlist>
<para>Read the chapter about the <link linkend="passdb">User Database</link>
@@ -346,9 +363,8 @@ as follows:
<itemizedlist>
<listitem><para>A Samba account, stored in the same location as user
- LanMan and NT password hashes (currently
- <filename>smbpasswd</filename>). The Samba account
- possesses and uses only the NT password hash.</para></listitem>
+ LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
+ The Samba account possesses and uses only the NT password hash.</para></listitem>
<listitem><para>A corresponding Unix account, typically stored in
<filename>/etc/passwd</filename>. (Future releases will alleviate the need to
@@ -373,7 +389,7 @@ There are two ways to create machine trust accounts:
</itemizedlist>
-<sect2>
+<sect3>
<title>Manual Creation of Machine Trust Accounts</title>
<para>
@@ -452,10 +468,10 @@ the corresponding Unix account.
information to such clients. You have been warned!
</para>
</warning>
-</sect2>
+</sect3>
-<sect2>
+<sect3>
<title>"On-the-Fly" Creation of Machine Trust Accounts</title>
<para>
@@ -482,10 +498,10 @@ be created manually.
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
</programlisting></para>
-</sect2>
+</sect3>
-<sect2><title>Joining the Client to the Domain</title>
+<sect3><title>Joining the Client to the Domain</title>
<para>
The procedure for joining a client to the domain varies with the
@@ -535,122 +551,17 @@ version of Windows.
</para></listitem>
</itemizedlist>
+</sect3>
</sect2>
</sect1>
<sect1>
-<title>Common Problems and Errors</title>
-
-<sect2>
-<title>I cannot include a '$' in a machine name</title>
-<para>
-A 'machine name' in (typically) <filename>/etc/passwd</filename>
-of the machine name with a '$' appended. FreeBSD (and other BSD
-systems?) won't create a user with a '$' in their name.
-</para>
-
-<para>
-The problem is only in the program used to make the entry. Once made, it works perfectly.
-Create a user without the '$' using <command>vipw</command> to edit the entry, adding
-the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID!
-</para>
-</sect2>
-
-<sect2>
-<title>I get told "You already have a connection to the Domain...."
-or "Cannot join domain, the credentials supplied conflict with an
-existing set.." when creating a machine trust account.</title>
-
-<para>
-This happens if you try to create a machine trust account from the
-machine itself and already have a connection (e.g. mapped drive)
-to a share (or IPC$) on the Samba PDC. The following command
-will remove all network drive connections:
-</para>
+<title>Samba ADS Domain Control</title>
<para>
-<prompt>C:\WINNT\></prompt> <command>net use * /d</command>
+Not yet Freddie!
</para>
-<para>
-Further, if the machine is already a 'member of a workgroup' that
-is the same name as the domain you are joining (bad idea) you will
-get this message. Change the workgroup name to something else, it
-does not matter what, reboot, and try again.
-</para>
-</sect2>
-
-<sect2>
-<title>The system can not log you on (C000019B)....</title>
-
-<para>I joined the domain successfully but after upgrading
-to a newer version of the Samba code I get the message, "The system
-can not log you on (C000019B), Please try again or consult your
-system administrator" when attempting to logon.
-</para>
-
-<para>
-This occurs when the domain SID stored in the secrets.tdb database
-is changed. The most common cause of a change in domain SID is when
-the domain name and/or the server name (netbios name) is changed.
-The only way to correct the problem is to restore the original domain
-SID or remove the domain client from the domain and rejoin. The domain
-SID may be reset using either the net or rpcclient utilities.
-</para>
-
-<para>
-The reset or change the domain SID you can use the net command as follows:
-
-<programlisting>
- net getlocalsid 'OLDNAME'
- net setlocalsid 'SID'
-</programlisting>
-</para>
-
-</sect2>
-
-<sect2>
-<title>The machine trust account for this computer either does not
-exist or is not accessible.</title>
-
-<para>
-When I try to join the domain I get the message "The machine account
-for this computer either does not exist or is not accessible". What's
-wrong?
-</para>
-
-<para>
-This problem is caused by the PDC not having a suitable machine trust account.
-If you are using the <parameter>add machine script</parameter> method to create
-accounts then this would indicate that it has not worked. Ensure the domain
-admin user system is working.
-</para>
-
-<para>
-Alternatively if you are creating account entries manually then they
-have not been created correctly. Make sure that you have the entry
-correct for the machine trust account in smbpasswd file on the Samba PDC.
-If you added the account using an editor rather than using the smbpasswd
-utility, make sure that the account name is the machine NetBIOS name
-with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
-in both /etc/passwd and the smbpasswd file. Some people have reported
-that inconsistent subnet masks between the Samba server and the NT
-client have caused this problem. Make sure that these are consistent
-for both client and server.
-</para>
-</sect2>
-
-<sect2>
-<title>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
-I get a message about my account being disabled.</title>
-
-<para>
-At first be ensure to enable the useraccounts with <command>smbpasswd -e
-%user%</command>, this is normally done, when you create an account.
-</para>
-
-</sect2>
-
</sect1>
<sect1>
@@ -767,11 +678,10 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<sect2>
-<title>Configuration Instructions: Network Logons</title>
+<title>Configuring Network Logon Capability</title>
<para>
-The main difference between a PDC and a Windows 9x logon
-server configuration is that
+The main difference between a PDC and a Windows 9x logon server configuration is that
</para>
<itemizedlist>
@@ -787,8 +697,7 @@ Windows 9x/ME clients do not possess machine trust accounts.
</itemizedlist>
<para>
-Therefore, a Samba PDC will also act as a Windows 9x logon
-server.
+Therefore, a Samba PDC will also act as a Windows 9x logon server.
</para>
@@ -839,4 +748,118 @@ for its domain.
</sect2>
</sect1>
+
+<sect1>
+<title>Common Problems and Errors</title>
+
+<sect2>
+<title>I cannot include a '$' in a machine name</title>
+<para>
+A 'machine name' in (typically) <filename>/etc/passwd</filename>
+of the machine name with a '$' appended. FreeBSD (and other BSD
+systems?) won't create a user with a '$' in their name.
+</para>
+
+<para>
+The problem is only in the program used to make the entry. Once made, it works perfectly.
+Create a user without the '$' using <command>vipw</command> to edit the entry, adding
+the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID!
+</para>
+</sect2>
+
+<sect2>
+<title>I get told "You already have a connection to the Domain...."
+or "Cannot join domain, the credentials supplied conflict with an
+existing set.." when creating a machine trust account.</title>
+
+<para>
+This happens if you try to create a machine trust account from the
+machine itself and already have a connection (e.g. mapped drive)
+to a share (or IPC$) on the Samba PDC. The following command
+will remove all network drive connections:
+</para>
+
+<para>
+<prompt>C:\WINNT\></prompt> <command>net use * /d</command>
+</para>
+
+<para>
+Further, if the machine is already a 'member of a workgroup' that
+is the same name as the domain you are joining (bad idea) you will
+get this message. Change the workgroup name to something else, it
+does not matter what, reboot, and try again.
+</para>
+</sect2>
+
+<sect2>
+<title>The system can not log you on (C000019B)....</title>
+
+<para>I joined the domain successfully but after upgrading
+to a newer version of the Samba code I get the message, "The system
+can not log you on (C000019B), Please try again or consult your
+system administrator" when attempting to logon.
+</para>
+
+<para>
+This occurs when the domain SID stored in the secrets.tdb database
+is changed. The most common cause of a change in domain SID is when
+the domain name and/or the server name (netbios name) is changed.
+The only way to correct the problem is to restore the original domain
+SID or remove the domain client from the domain and rejoin. The domain
+SID may be reset using either the net or rpcclient utilities.
+</para>
+
+<para>
+The reset or change the domain SID you can use the net command as follows:
+
+<programlisting>
+ net getlocalsid 'OLDNAME'
+ net setlocalsid 'SID'
+</programlisting>
+</para>
+
+</sect2>
+
+<sect2>
+<title>The machine trust account for this computer either does not
+exist or is not accessible.</title>
+
+<para>
+When I try to join the domain I get the message "The machine account
+for this computer either does not exist or is not accessible". What's
+wrong?
+</para>
+
+<para>
+This problem is caused by the PDC not having a suitable machine trust account.
+If you are using the <parameter>add machine script</parameter> method to create
+accounts then this would indicate that it has not worked. Ensure the domain
+admin user system is working.
+</para>
+
+<para>
+Alternatively if you are creating account entries manually then they
+have not been created correctly. Make sure that you have the entry
+correct for the machine trust account in smbpasswd file on the Samba PDC.
+If you added the account using an editor rather than using the smbpasswd
+utility, make sure that the account name is the machine NetBIOS name
+with a '$' appended to it ( i.e. computer_name$ ). There must be an entry
+in both /etc/passwd and the smbpasswd file. Some people have reported
+that inconsistent subnet masks between the Samba server and the NT
+client have caused this problem. Make sure that these are consistent
+for both client and server.
+</para>
+</sect2>
+
+<sect2>
+<title>When I attempt to login to a Samba Domain from a NT4/W2K workstation,
+I get a message about my account being disabled.</title>
+
+<para>
+At first be ensure to enable the useraccounts with <command>smbpasswd -e
+%user%</command>, this is normally done, when you create an account.
+</para>
+
+</sect2>
+</sect1>
</chapter>