diff options
Diffstat (limited to 'docs/htmldocs/domain-security.html')
-rw-r--r-- | docs/htmldocs/domain-security.html | 317 |
1 files changed, 186 insertions, 131 deletions
diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html index ddbc4624b8..670d96ba5f 100644 --- a/docs/htmldocs/domain-security.html +++ b/docs/htmldocs/domain-security.html @@ -2,10 +2,11 @@ <HTML ><HEAD ><TITLE ->Samba as a NT4 or Win2k domain member</TITLE +>Samba as a NT4 domain member</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -16,7 +17,7 @@ REL="PREVIOUS" TITLE="Samba as a ADS domain member" HREF="ads.html"><LINK REL="NEXT" -TITLE="Advanced Configuration" +TITLE="Optional configuration" HREF="optional.html"></HEAD ><BODY CLASS="CHAPTER" @@ -72,58 +73,157 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="DOMAIN-SECURITY" -></A ->Chapter 9. Samba as a NT4 or Win2k domain member</H1 +NAME="DOMAIN-SECURITY">Chapter 9. Samba as a NT4 domain member</H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1439" ->9.1. Joining an NT Domain with Samba 3.0</A -></H1 +NAME="AEN1273">9.1. Joining an NT Domain with Samba 2.2</H1 ><P ->Assume you have a Samba 3.0 server with a NetBIOS name of - <CODE +>Assume you have a Samba 2.x server with a NetBIOS name of + <TT CLASS="CONSTANT" ->SERV1</CODE -> and are joining an or Win2k NT domain called - <CODE +>SERV1</TT +> and are joining an NT domain called + <TT CLASS="CONSTANT" ->DOM</CODE +>DOM</TT >, which has a PDC with a NetBIOS name - of <CODE + of <TT CLASS="CONSTANT" ->DOMPDC</CODE +>DOMPDC</TT > and two backup domain controllers - with NetBIOS names <CODE + with NetBIOS names <TT CLASS="CONSTANT" ->DOMBDC1</CODE -> and <CODE +>DOMBDC1</TT +> and <TT CLASS="CONSTANT" >DOMBDC2 - </CODE + </TT >.</P ><P ->Firstly, you must edit your <TT +>In order to join the domain, first stop all Samba daemons + and run the command:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><TT +CLASS="USERINPUT" +><B +>smbpasswd -j DOM -r DOMPDC + -U<TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +></B +></TT +></P +><P +>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</P +><P +><TT +CLASS="COMPUTEROUTPUT" +>smbpasswd: Joined domain DOM.</TT +> + </P +><P +>in your terminal window. See the <A +HREF="smbpasswd.8.html" +TARGET="_top" +> smbpasswd(8)</A +> man page for more details.</P +><P +>There is existing development code to join a domain + without having to create the machine trust account on the PDC + beforehand. This code will hopefully be available soon + in release branches as well.</P +><P +>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</P +><P +><TT +CLASS="FILENAME" +>/usr/local/samba/private</TT +></P +><P +>In Samba 2.0.x, the filename looks like this:</P +><P +><TT CLASS="FILENAME" ->smb.conf</TT -> file to tell Samba it should - now use domain security.</P +><TT +CLASS="REPLACEABLE" +><I +><NT DOMAIN NAME></I +></TT +>.<TT +CLASS="REPLACEABLE" +><I +><Samba + Server Name></I +></TT +>.mac</TT +></P +><P +>The <TT +CLASS="FILENAME" +>.mac</TT +> suffix stands for machine account + password file. So in our example above, the file would be called:</P +><P +><TT +CLASS="FILENAME" +>DOM.SERV1.mac</TT +></P +><P +>In Samba 2.2, this file has been replaced with a TDB + (Trivial Database) file named <TT +CLASS="FILENAME" +>secrets.tdb</TT +>. + </P +><P +>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</P +><P +>Now, before restarting the Samba daemons you must + edit your <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +> + </A +> file to tell Samba it should now use domain security.</P ><P >Change (or add) your <A HREF="smb.conf.5.html#SECURITY" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->security =</VAR +><I +>security =</I +></TT ></A > line in the [global] section - of your <TT -CLASS="FILENAME" ->smb.conf</TT -> to read:</P + of your smb.conf to read:</P ><P ><B CLASS="COMMAND" @@ -133,9 +233,11 @@ CLASS="COMMAND" >Next change the <A HREF="smb.conf.5.html#WORKGROUP" TARGET="_top" -><VAR +><TT CLASS="PARAMETER" -> workgroup =</VAR +><I +> workgroup =</I +></TT ></A > line in the [global] section to read: </P ><P @@ -149,22 +251,26 @@ CLASS="COMMAND" >You must also have the parameter <A HREF="smb.conf.5.html#ENCRYPTPASSWORDS" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->encrypt passwords</VAR +><I +>encrypt passwords</I +></TT ></A -> set to <CODE +> set to <TT CLASS="CONSTANT" >yes - </CODE + </TT > in order for your users to authenticate to the NT PDC.</P ><P >Finally, add (or modify) a <A HREF="smb.conf.5.html#PASSWORDSERVER" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->password server =</VAR +><I +>password server =</I +></TT ></A > line in the [global] section to read: </P @@ -189,89 +295,50 @@ CLASS="COMMAND" >password server = *</B ></P ><P ->This method, allows Samba to use exactly the same - mechanism that NT does. This +>This method, which was introduced in Samba 2.0.6, + allows Samba to use exactly the same mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against.</P ><P ->In order to actually join the domain, you must run this - command:</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->net rpc join -S DOMPDC - -U<VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -></KBD -></P -><P ->as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The <VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -> is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:</P -><P -><SAMP -CLASS="COMPUTEROUTPUT" ->Joined domain DOM.</SAMP -> - or <SAMP -CLASS="COMPUTEROUTPUT" ->Joined 'SERV1' to realm 'MYREALM'</SAMP -> - </P -><P ->in your terminal window. See the <A -HREF="net.8.html" -TARGET="_top" -> net(8)</A -> man page for more details.</P -><P ->This process joins the server to thedomain - without having to create the machine trust account on the PDC - beforehand.</P -><P ->This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</P +>Finally, restart your Samba daemons and get ready for + clients to begin using domain security!</P +></DIV +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN1337">9.2. Samba and Windows 2000 Domains</H1 ><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private/secrets.tdb</TT -></P +>Many people have asked regarding the state of Samba's ability to participate in +a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows +2000 domain operating in mixed or native mode.</P ><P ->This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</P +>There is much confusion between the circumstances that require a "mixed" mode +Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode +Win2k domain controller is only needed if Windows NT BDCs must exist in the same +domain. By default, a Win2k DC in "native" mode will still support +NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and +NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P ><P ->Finally, restart your Samba daemons and get ready for - clients to begin using domain security!</P +>The steps for adding a Samba 2.2 host to a Win2k domain are the same as those +for adding a Samba server to a Windows NT 4.0 domain. The only exception is that +the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and +Computers" MMC (Microsoft Management Console) plugin.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1493" ->9.2. Why is this better than security = server?</A -></H1 +NAME="AEN1342">9.3. Why is this better than security = server?</H1 ><P >Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching - to your server. This means that if domain user <CODE + to your server. This means that if domain user <TT CLASS="CONSTANT" >DOM\fred - </CODE + </TT > attaches to your domain security Samba server, there needs to be a local Unix user fred to represent that user in the Unix filesystem. This is very similar to the older Samba security mode @@ -320,28 +387,20 @@ CLASS="COMMAND" >And finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" + as the user SID, the list of NT groups the user belongs to, etc. All + this information will allow Samba to be extended in the future into + a mode the developers currently call appliance mode. In this mode, + no local Unix users will be necessary, and Samba will generate Unix + uids and gids from the information passed back from the PDC when a + user is authenticated, making a Samba server truly plug and play + in an NT domain environment. Watch for this code soon.</P ><P +><SPAN +CLASS="emphasis" +><I +CLASS="EMPHASIS" +>NOTE:</I +></SPAN > Much of the text of this document was first published in the Web magazine <A HREF="http://www.linuxworld.com" @@ -354,10 +413,6 @@ TARGET="_top" >Doing the NIS/NT Samba</A >.</P -></TD -></TR -></TABLE -></DIV ></DIV ></DIV ><DIV @@ -418,7 +473,7 @@ ACCESSKEY="U" WIDTH="33%" ALIGN="right" VALIGN="top" ->Advanced Configuration</TD +>Optional configuration</TD ></TR ></TABLE ></DIV |