summaryrefslogtreecommitdiff
path: root/docs/htmldocs/domain-member.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/domain-member.html')
-rw-r--r--docs/htmldocs/domain-member.html79
1 files changed, 79 insertions, 0 deletions
diff --git a/docs/htmldocs/domain-member.html b/docs/htmldocs/domain-member.html
new file mode 100644
index 0000000000..5be675a541
--- /dev/null
+++ b/docs/htmldocs/domain-member.html
@@ -0,0 +1,79 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 8. Samba as a NT4 or Win2k domain member</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="ADS.html" title="Chapter 7. Samba as a ADS domain member"><link rel="next" href="optional.html" title="Part III. Advanced Configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Samba as a NT4 or Win2k domain member</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ADS.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="domain-member"></a>Chapter 8. Samba as a NT4 or Win2k domain member</h2></div><div><div class="author"><h3 class="author">Jeremy Allison</h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt>&lt;<a href="mailto:jra@samba.org">jra@samba.org</a>&gt;</tt></p></div></div></div></div><div><div class="author"><h3 class="author">Gerald (Jerry) Carter</h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt>&lt;<a href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">16 Apr 2001</p></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="domain-member.html#id2879309">Joining an NT Domain with Samba 3.0</a></dt><dt><a href="domain-member.html#id2880214">Why is this better than security = server?</a></dt></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2879309"></a>Joining an NT Domain with Samba 3.0</h2></div></div><p><span class="emphasis"><em>Assumptions:</em></span>
+ </p><pre class="programlisting">
+ NetBIOS name: SERV1
+ Win2K/NT domain name: DOM
+ Domain's PDC NetBIOS name: DOMPDC
+ Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2
+ </pre><p>
+ </p><p>First, you must edit your <tt>smb.conf</tt> file to tell Samba it should
+ now use domain security.</p><p>Change (or add) your <a href="smb.conf.5.html#SECURITY" target="_top">
+ <i><tt>security =</tt></i></a> line in the [global] section
+ of your <tt>smb.conf</tt> to read:</p><p><b>security = domain</b></p><p>Next change the <a href="smb.conf.5.html#WORKGROUP" target="_top"><i><tt>
+ workgroup =</tt></i></a> line in the [global] section to read: </p><p><b>workgroup = DOM</b></p><p>as this is the name of the domain we are joining. </p><p>You must also have the parameter <a href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">
+ <i><tt>encrypt passwords</tt></i></a> set to <tt>yes
+ </tt> in order for your users to authenticate to the NT PDC.</p><p>Finally, add (or modify) a <a href="smb.conf.5.html#PASSWORDSERVER" target="_top">
+ <i><tt>password server =</tt></i></a> line in the [global]
+ section to read: </p><p><b>password server = DOMPDC DOMBDC1 DOMBDC2</b></p><p>These are the primary and backup domain controllers Samba
+ will attempt to contact in order to authenticate users. Samba will
+ try to contact each of these servers in order, so you may want to
+ rearrange this list in order to spread out the authentication load
+ among domain controllers.</p><p>Alternatively, if you want smbd to automatically determine
+ the list of Domain controllers to use for authentication, you may
+ set this line to be :</p><p><b>password server = *</b></p><p>This method, allows Samba to use exactly the same
+ mechanism that NT does. This
+ method either broadcasts or uses a WINS database in order to
+ find domain controllers to authenticate against.</p><p>In order to actually join the domain, you must run this
+ command:</p><p><tt>root# </tt><b><tt>net join -S DOMPDC
+ -U<i><tt>Administrator%password</tt></i></tt></b></p><p>
+ If the <b><tt>-S DOMPDC</tt></b> argument is not given then
+ the domain name will be obtained from smb.conf.
+ </p><p>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. The <i><tt>Administrator%password</tt></i> is
+ the login name and password for an account which has the necessary
+ privilege to add machines to the domain. If this is successful
+ you will see the message:</p><p><tt>Joined domain DOM.</tt>
+ or <tt>Joined 'SERV1' to realm 'MYREALM'</tt>
+ </p><p>in your terminal window. See the <a href="net.8.html" target="_top">
+ net(8)</a> man page for more details.</p><p>This process joins the server to the domain
+ without having to create the machine trust account on the PDC
+ beforehand.</p><p>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</p><p><tt>/usr/local/samba/private/secrets.tdb</tt></p><p>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</p><p>Finally, restart your Samba daemons and get ready for
+ clients to begin using domain security!</p></div><div class="sect1" lang="en"><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="id2880214"></a>Why is this better than security = server?</h2></div></div><p>Currently, domain security in Samba doesn't free you from
+ having to create local Unix users to represent the users attaching
+ to your server. This means that if domain user <tt>DOM\fred
+ </tt> attaches to your domain security Samba server, there needs
+ to be a local Unix user fred to represent that user in the Unix
+ filesystem. This is very similar to the older Samba security mode
+ <a href="smb.conf.5.html#SECURITYEQUALSSERVER" target="_top">security = server</a>,
+ where Samba would pass through the authentication request to a Windows
+ NT server in the same way as a Windows 95 or Windows 98 server would.
+ </p><p>Please refer to the <a href="winbind.html" target="_top">Winbind
+ paper</a> for information on a system to automatically
+ assign UNIX uids and gids to Windows NT Domain users and groups.
+ </p><p>The advantage to domain-level security is that the
+ authentication in domain-level security is passed down the authenticated
+ RPC channel in exactly the same way that an NT server would do it. This
+ means Samba servers now participate in domain trust relationships in
+ exactly the same way NT servers do (i.e., you can add Samba servers into
+ a resource domain and have the authentication passed on from a resource
+ domain PDC to an account domain PDC).</p><p>In addition, with <b>security = server</b> every Samba
+ daemon on a server has to keep a connection open to the
+ authenticating server for as long as that daemon lasts. This can drain
+ the connection resources on a Microsoft NT server and cause it to run
+ out of available connections. With <b>security = domain</b>,
+ however, the Samba daemons connect to the PDC/BDC only for as long
+ as is necessary to authenticate the user, and then drop the connection,
+ thus conserving PDC connection resources.</p><p>And finally, acting in the same manner as an NT server
+ authenticating to a PDC means that as part of the authentication
+ reply, the Samba server gets the user identification information such
+ as the user SID, the list of NT groups the user belongs to, etc. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Much of the text of this document
+ was first published in the Web magazine <a href="http://www.linuxworld.com" target="_top">
+ LinuxWorld</a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" target="_top">Doing
+ the NIS/NT Samba</a>.</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ADS.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="optional.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. Samba as a ADS domain member </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Advanced Configuration</td></tr></table></div></body></html>
generated by cgit (git 2.34.1) at 2025-02-07 21:35:13 +0000