diff options
Diffstat (limited to 'docs/htmldocs/domain-member.html')
| -rw-r--r-- | docs/htmldocs/domain-member.html | 446 | 
1 files changed, 0 insertions, 446 deletions
| diff --git a/docs/htmldocs/domain-member.html b/docs/htmldocs/domain-member.html deleted file mode 100644 index 9d70524a42..0000000000 --- a/docs/htmldocs/domain-member.html +++ /dev/null @@ -1,446 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Samba as a NT4 or Win2k domain member</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="SAMBA Project Documentation" -HREF="samba-howto-collection.html"><LINK -REL="UP" -TITLE="Type of installation" -HREF="type.html"><LINK -REL="PREVIOUS" -TITLE="Samba as a ADS domain member" -HREF="ads.html"><LINK -REL="NEXT" -TITLE="Advanced Configuration" -HREF="optional.html"></HEAD -><BODY -CLASS="CHAPTER" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->SAMBA Project Documentation</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="ads.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="optional.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="CHAPTER" -><H1 -><A -NAME="DOMAIN-MEMBER" -></A ->Chapter 10. Samba as a NT4 or Win2k domain member</H1 -><DIV -CLASS="TOC" -><DL -><DT -><B ->Table of Contents</B -></DT -><DT ->10.1. <A -HREF="domain-member.html#AEN1447" ->Joining an NT Domain with Samba 3.0</A -></DT -><DT ->10.2. <A -HREF="domain-member.html#AEN1501" ->Why is this better than security = server?</A -></DT -></DL -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1447" ->10.1. Joining an NT Domain with Samba 3.0</A -></H1 -><P ->Assume you have a Samba 3.0 server with a NetBIOS name of  -	<CODE -CLASS="CONSTANT" ->SERV1</CODE -> and are joining an or Win2k NT domain called -	<CODE -CLASS="CONSTANT" ->DOM</CODE ->, which has a PDC with a NetBIOS name -	of <CODE -CLASS="CONSTANT" ->DOMPDC</CODE -> and two backup domain controllers  -	with NetBIOS names <CODE -CLASS="CONSTANT" ->DOMBDC1</CODE -> and <CODE -CLASS="CONSTANT" ->DOMBDC2 -	</CODE ->.</P -><P ->Firstly, you must edit your <TT -CLASS="FILENAME" ->smb.conf</TT -> file to tell Samba it should -	now use domain security.</P -><P ->Change (or add) your <A -HREF="smb.conf.5.html#SECURITY" -TARGET="_top" ->	<VAR -CLASS="PARAMETER" ->security =</VAR -></A -> line in the [global] section  -	of your <TT -CLASS="FILENAME" ->smb.conf</TT -> to read:</P -><P -><B -CLASS="COMMAND" ->security = domain</B -></P -><P ->Next change the <A -HREF="smb.conf.5.html#WORKGROUP" -TARGET="_top" -><VAR -CLASS="PARAMETER" ->	workgroup =</VAR -></A -> line in the [global] section to read: </P -><P -><B -CLASS="COMMAND" ->workgroup = DOM</B -></P -><P ->as this is the name of the domain we are joining. </P -><P ->You must also have the parameter <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" ->	<VAR -CLASS="PARAMETER" ->encrypt passwords</VAR -></A -> set to <CODE -CLASS="CONSTANT" ->yes -	</CODE -> in order for your users to authenticate to the NT PDC.</P -><P ->Finally, add (or modify) a <A -HREF="smb.conf.5.html#PASSWORDSERVER" -TARGET="_top" ->	<VAR -CLASS="PARAMETER" ->password server =</VAR -></A -> line in the [global] -	section to read: </P -><P -><B -CLASS="COMMAND" ->password server = DOMPDC DOMBDC1 DOMBDC2</B -></P -><P ->These are the primary and backup domain controllers Samba  -	will attempt to contact in order to authenticate users. Samba will  -	try to contact each of these servers in order, so you may want to  -	rearrange this list in order to spread out the authentication load  -	among domain controllers.</P -><P ->Alternatively, if you want smbd to automatically determine  -	the list of Domain controllers to use for authentication, you may  -	set this line to be :</P -><P -><B -CLASS="COMMAND" ->password server = *</B -></P -><P ->This method, allows Samba to use exactly the same -        mechanism that NT does. This  -	method either broadcasts or uses a WINS database in order to -	find domain controllers to authenticate against.</P -><P ->In order to actually join the domain, you must run this -        command:</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->net rpc join -S DOMPDC -	-U<VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -></KBD -></P -><P ->as we are joining the domain DOM and the PDC for that domain  -	(the only machine that has write access to the domain SAM database)  -	is DOMPDC. The <VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -> is  -	the login name and password for an account which has the necessary  -	privilege to add machines to the domain.  If this is successful  -	you will see the message:</P -><P -><SAMP -CLASS="COMPUTEROUTPUT" ->Joined domain DOM.</SAMP -> -	or <SAMP -CLASS="COMPUTEROUTPUT" ->Joined 'SERV1' to realm 'MYREALM'</SAMP -> -	</P -><P ->in your terminal window. See the <A -HREF="net.8.html" -TARGET="_top" ->	net(8)</A -> man page for more details.</P -><P ->This process joins the server to thedomain -	without having to create the machine trust account on the PDC -	beforehand.</P -><P ->This command goes through the machine account password  -	change protocol, then writes the new (random) machine account  -	password for this Samba server into a file in the same directory  -	in which an smbpasswd file would be stored - normally :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private/secrets.tdb</TT -></P -><P ->This file is created and owned by root and is not  -	readable by any other user. It is the key to the domain-level  -	security for your system, and should be treated as carefully  -	as a shadow password file.</P -><P ->Finally, restart your Samba daemons and get ready for  -	clients to begin using domain security!</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1501" ->10.2. Why is this better than security = server?</A -></H1 -><P ->Currently, domain security in Samba doesn't free you from  -	having to create local Unix users to represent the users attaching  -	to your server. This means that if domain user <CODE -CLASS="CONSTANT" ->DOM\fred -	</CODE -> attaches to your domain security Samba server, there needs  -	to be a local Unix user fred to represent that user in the Unix  -	filesystem. This is very similar to the older Samba security mode  -	<A -HREF="smb.conf.5.html#SECURITYEQUALSSERVER" -TARGET="_top" ->security = server</A ->,  -	where Samba would pass through the authentication request to a Windows  -	NT server in the same way as a Windows 95 or Windows 98 server would. -	</P -><P ->Please refer to the <A -HREF="winbind.html" -TARGET="_top" ->Winbind  -	paper</A -> for information on a system to automatically -	assign UNIX uids and gids to Windows NT Domain users and groups. -	This code is available in development branches only at the moment, -	but will be moved to release branches soon.</P -><P ->The advantage to domain-level security is that the  -	authentication in domain-level security is passed down the authenticated  -	RPC channel in exactly the same way that an NT server would do it. This  -	means Samba servers now participate in domain trust relationships in  -	exactly the same way NT servers do (i.e., you can add Samba servers into  -	a resource domain and have the authentication passed on from a resource -	domain PDC to an account domain PDC.</P -><P ->In addition, with <B -CLASS="COMMAND" ->security = server</B -> every Samba  -	daemon on a server has to keep a connection open to the  -	authenticating server for as long as that daemon lasts. This can drain  -	the connection resources on a Microsoft NT server and cause it to run  -	out of available connections. With <B -CLASS="COMMAND" ->security = domain</B ->,  -	however, the Samba daemons connect to the PDC/BDC only for as long  -	as is necessary to authenticate the user, and then drop the connection,  -	thus conserving PDC connection resources.</P -><P ->And finally, acting in the same manner as an NT server  -	authenticating to a PDC means that as part of the authentication  -	reply, the Samba server gets the user identification information such  -	as the user SID, the list of NT groups the user belongs to, etc. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -> Much of the text of this document  -	was first published in the Web magazine <A -HREF="http://www.linuxworld.com" -TARGET="_top" -> 	 -	LinuxWorld</A -> as the article <A -HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" -TARGET="_top" ->Doing  -	the NIS/NT Samba</A ->.</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="ads.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="samba-howto-collection.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="optional.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Samba as a ADS domain member</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="type.html" -ACCESSKEY="U" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Advanced Configuration</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file | 
