diff options
Diffstat (limited to 'docs/docbook')
-rw-r--r-- | docs/docbook/Makefile.in | 3 | ||||
-rw-r--r-- | docs/docbook/projdoc/Samba-BDC-HOWTO.sgml | 233 | ||||
-rw-r--r-- | docs/docbook/projdoc/samba-doc.sgml | 4 | ||||
-rw-r--r-- | docs/docbook/projdoc/winbind.sgml | 2 |
4 files changed, 240 insertions, 2 deletions
diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index ef261b3bad..0a21b73f6f 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -60,7 +60,8 @@ HOWTOSRC=projdoc/DOMAIN_MEMBER.sgml projdoc/NT_Security.sgml \ projdoc/UNIX_INSTALL.sgml projdoc/winbind.sgml projdoc/OS2-Client-HOWTO.sgml \ projdoc/Samba-PDC-HOWTO.sgml projdoc/ENCRYPTION.sgml \ projdoc/CVS-Access.sgml projdoc/Integrating-with-Windows.sgml \ - projdoc/PAM-Authentication-And-Samba.sgml projdoc/Samba-LDAP-HOWTO.sgml + projdoc/PAM-Authentication-And-Samba.sgml projdoc/Samba-LDAP-HOWTO.sgml \ + projdoc/Samba-BDC-HOWTO.sgml diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml new file mode 100644 index 0000000000..0dae399654 --- /dev/null +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml @@ -0,0 +1,233 @@ +<chapter id="samba-bdc"> + + +<chapterinfo> + <author> + <firstname>Volker</firstname><surname>Lendecke</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address><email>Volker.Lendecke@SerNet.DE</email></address> + </affiliation> + </author> + <pubdate> (26 Apr 2001) </pubdate> +</chapterinfo> + +<title> +How to a Purely Samba Controlled Domain +</title> + +<sect1> +<title>Prerequisite Reading</title> + +<para> +Before you continue reading in this chapter, please make sure +that you are comfortable with configuring a Samba PDC +as described in the <ulink url="Samba-PDC-HOWTO.html">Samba-PDC-HOWTO</ulink>. +</para> + + +</sect1> + +<sect1> + +<title>Background</title> + +<para> +What is a Domain Controller? It is a machine that is able to answer +logon requests from workstations in a Windows NT Domain. Whenever a +user logs into a Windows NT Workstation, the workstation connects to a +Domain Controller and asks him whether the username and password the +user typed in is correct. The Domain Controller replies with a lot of +information about the user, for example the place where the users +profile is stored, the users full name of the user. All this +information is stored in the NT user database, the so-called SAM. +</para> + +<para> +There are two kinds of Domain Controller in a NT 4 compatible Domain: +A Primary Domain Controller (PDC) and one or more Backup Domain +Controllers (BDC). The PDC contains the master copy of the +SAM. Whenever the SAM has to change, for example when a user changes +his password, this change has to be done on the PDC. A Backup Domain +Controller is a machine that maintains a read-only copy of the +SAM. This way it is able to reply to logon requests and authenticate +users in case the PDC is not available. During this time no changes to +the SAM are possible. Whenever changes to the SAM are done on the PDC, +all BDC receive the changes from the PDC. +</para> + +<para> +Since version 2.2 Samba officially supports domain logons for all +current Windows Clients, including Windows 2000 and XP. This text +assumes the domain to be named SAMBA. To be able to act as a PDC, some +parameters in the [global]-section of the smb.conf have to be set: +</para> + +<para><programlisting> +workgroup = SAMBA +domain master = yes +domain logons = yes +</programlisting></para> + +<para> +Several other things like a [homes] and a [netlogon] share also may be +set along with settings for the profile path, the users home drive and +others. This will not be covered in this document. +</para> + +</sect1> + + +<sect1> +<title>What qualifies a Domain Controller on the network?</title> + +<para> +Every machine that is a Domain Controller for the domain SAMBA has to +register the NetBIOS group name SAMBA#1c with the WINS server and/or +by broadcast on the local network. The PDC also registers the unique +NetBIOS name SAMBA#1b with the WINS server. The name type #1b is +normally reserved for the domain master browser, a role that has +nothing to do with anything related to authentication, but the +Microsoft Domain implementation requires the domain master browser to +be on the same machine as the PDC. +</para> + + +<sect2> +<title>How does a Workstation find its domain controller?</title> + +<para> +A NT workstation in the domain SAMBA that wants a local user to be +authenticated has to find the domain controller for SAMBA. It does +this by doing a NetBIOS name query for the group name SAMBA#1c. It +assumes that each of the machines it gets back from the queries is a +domain controller and can answer logon requests. To not open security +holes both the workstation and the selected (TODO: How is the DC +chosen) domain controller authenticate each other. After that the +workstation sends the user's credentials (his name and password) to +the domain controller, asking for approval. +</para> + +</sect2> + + +<sect2> +<title>When is the PDC needed?</title> + +<para> +Whenever a user wants to change his password, this has to be done on +the PDC. To find the PDC, the workstation does a NetBIOS name query +for SAMBA#1b, assuming this machine maintains the master copy of the +SAM. The workstation contacts the PDC, both mutually authenticate and +the password change is done. +</para> + +</sect2> + +</sect1> + + +<sect1> +<title>Can Samba be a Backup Domain Controller?</title> + +<para> +With version 2.2, no. The native NT SAM replication protocols have +not yet been fully implemented. The Samba Team is working on +understanding and implementing the protocols, but this work has not +been finished for version 2.2. +</para> + +<para> +Can I get the benefits of a BDC with Samba? Yes. The main reason for +implementing a BDC is availability. If the PDC is a Samba machine, +a second Samba machine can be set up to +service logon requests whenever the PDC is down. +</para> + +</sect1> + + +<sect1> +<title>How do I set up a Samba BDC?</title> + +<para> +Several things have to be done: +</para> + +<itemizedlist> + +<listitem><para> +The file private/MACHINE.SID identifies the domain. When a samba +server is first started, it is created on the fly and must never be +changed again. This file has to be the same on the PDC and the BDC, +so the MACHINE.SID has to be copied from the PDC to the BDC. +</para></listitem> + +<listitem><para> +The Unix user database has to be synchronized from the PDC to the +BDC. This means that both the /etc/passwd and /etc/group have to be +replicated from the PDC to the BDC. This can be done manually +whenever changes are made, or the PDC is set up as a NIS master +server and the BDC as a NIS slave server. To set up the BDC as a +mere NIS client would not be enough, as the BDC would not be able to +access its user database in case of a PDC failure. +</para></listitem> + +<listitem><para> +The Samba password database in the file private/smbpasswd has to be +replicated from the PDC to the BDC. This is a bit tricky, see the +next section. +</para></listitem> + +<listitem><para> +Any netlogon share has to be replicated from the PDC to the +BDC. This can be done manually whenever login scripts are changed, +or it can be done automatically together with the smbpasswd +synchronization. +</para></listitem> + +</itemizedlist> + +<para> +Finally, the BDC has to be found by the workstations. This can be done +by setting +</para> + +<para><programlisting> +workgroup = samba +domain master = no +domain logons = yes +</programlisting></para> + +<para> +in the [global]-section of the smb.conf of the BDC. This makes the BDC +only register the name SAMBA#1c with the WINS server. This is no +problem as the name SAMBA#1c is a NetBIOS group name that is meant to +be registered by more than one machine. The parameter 'domain master = +no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS +name is reserved for the Primary Domain Controller. +</para> + +<sect2> +<title>How do I replicate the smbpasswd file?</title> + +<para> +Replication of the smbpasswd file is sensitive. It has to be done +whenever changes to the SAM are made. Every user's password change is +done in the smbpasswd file and has to be replicated to the BDC. So +replicating the smbpasswd file very often is necessary. +</para> + +<para> +As the smbpasswd file contains plain text password equivalents, it +must not be sent unencrypted over the wire. The best way to set up +smbpasswd replication from the PDC to the BDC is to use the utility +rsync. rsync can use ssh as a transport. ssh itself can be set up to +accept *only* rsync transfer without requiring the user to type a +password. +</para> + + +</sect2> +</sect1> +</chapter>
\ No newline at end of file diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index f1211c0ac6..e2fc5a1eb1 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -8,9 +8,11 @@ <!ENTITY NT-Security SYSTEM "NT_Security.sgml"> <!ENTITY OS2-Client SYSTEM "OS2-Client-HOWTO.sgml"> <!ENTITY Samba-PDC-HOWTO SYSTEM "Samba-PDC-HOWTO.sgml"> +<!ENTITY Samba-BDC-HOWTO SYSTEM "Samba-BDC-HOWTO.sgml"> <!ENTITY CVS-Access SYSTEM "CVS-Access.sgml"> <!ENTITY IntegratingWithWindows SYSTEM "Integrating-with-Windows.sgml"> <!ENTITY Samba-PAM SYSTEM "PAM-Authentication-And-Samba.sgml"> +<!ENTITY Samba-LDAP SYSTEM "Samba-LDAP-HOWTO.sgml"> <!ENTITY INDEX-FILE SYSTEM "index.sgml"> ]> @@ -56,6 +58,8 @@ Cheers, jerry &PRINTER-DRIVER2; &DOMAIN-MEMBER; &Samba-PDC-HOWTO; +&Samba-BDC-HOWTO; +&Samba-LDAP; &WINBIND; &OS2-Client; &CVS-Access; diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index eaa14bf0c2..fc8d8d52a1 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -557,7 +557,7 @@ a domain user who has administrative privileges in the domain. <para> -<prompt>root#</prompt> <command>/usr/local/samba/bin/smbpasswd -j DOMAIN -r PDC -U Administrator</command> +<prompt>root#</prompt> <command>/usr/local/samba/bin/net rpc join -s PDC -U Administrator</command> </para> |