summaryrefslogtreecommitdiff
path: root/docs/htmldocs/domain-security.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/domain-security.html')
-rw-r--r--docs/htmldocs/domain-security.html273
1 files changed, 163 insertions, 110 deletions
diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html
index d47138d791..670d96ba5f 100644
--- a/docs/htmldocs/domain-security.html
+++ b/docs/htmldocs/domain-security.html
@@ -2,10 +2,11 @@
<HTML
><HEAD
><TITLE
->Samba as a NT4 or Win2k domain member</TITLE
+>Samba as a NT4 domain member</TITLE
><META
NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
+"><LINK
REL="HOME"
TITLE="SAMBA Project Documentation"
HREF="samba-howto-collection.html"><LINK
@@ -72,41 +73,137 @@ WIDTH="100%"></DIV
CLASS="CHAPTER"
><H1
><A
-NAME="DOMAIN-SECURITY"
-></A
->Chapter 8. Samba as a NT4 or Win2k domain member</H1
+NAME="DOMAIN-SECURITY">Chapter 9. Samba as a NT4 domain member</H1
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1326"
->8.1. Joining an NT Domain with Samba 3.0</A
-></H1
+NAME="AEN1273">9.1. Joining an NT Domain with Samba 2.2</H1
><P
->Assume you have a Samba 3.0 server with a NetBIOS name of
- <CODE
+>Assume you have a Samba 2.x server with a NetBIOS name of
+ <TT
CLASS="CONSTANT"
->SERV1</CODE
-> and are joining an or Win2k NT domain called
- <CODE
+>SERV1</TT
+> and are joining an NT domain called
+ <TT
CLASS="CONSTANT"
->DOM</CODE
+>DOM</TT
>, which has a PDC with a NetBIOS name
- of <CODE
+ of <TT
CLASS="CONSTANT"
->DOMPDC</CODE
+>DOMPDC</TT
> and two backup domain controllers
- with NetBIOS names <CODE
+ with NetBIOS names <TT
CLASS="CONSTANT"
->DOMBDC1</CODE
-> and <CODE
+>DOMBDC1</TT
+> and <TT
CLASS="CONSTANT"
>DOMBDC2
- </CODE
+ </TT
>.</P
><P
->Firstly, you must edit your <A
+>In order to join the domain, first stop all Samba daemons
+ and run the command:</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbpasswd -j DOM -r DOMPDC
+ -U<TT
+CLASS="REPLACEABLE"
+><I
+>Administrator%password</I
+></TT
+></B
+></TT
+></P
+><P
+>as we are joining the domain DOM and the PDC for that domain
+ (the only machine that has write access to the domain SAM database)
+ is DOMPDC. The <TT
+CLASS="REPLACEABLE"
+><I
+>Administrator%password</I
+></TT
+> is
+ the login name and password for an account which has the necessary
+ privilege to add machines to the domain. If this is successful
+ you will see the message:</P
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>smbpasswd: Joined domain DOM.</TT
+>
+ </P
+><P
+>in your terminal window. See the <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+> smbpasswd(8)</A
+> man page for more details.</P
+><P
+>There is existing development code to join a domain
+ without having to create the machine trust account on the PDC
+ beforehand. This code will hopefully be available soon
+ in release branches as well.</P
+><P
+>This command goes through the machine account password
+ change protocol, then writes the new (random) machine account
+ password for this Samba server into a file in the same directory
+ in which an smbpasswd file would be stored - normally :</P
+><P
+><TT
+CLASS="FILENAME"
+>/usr/local/samba/private</TT
+></P
+><P
+>In Samba 2.0.x, the filename looks like this:</P
+><P
+><TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>&lt;NT DOMAIN NAME&gt;</I
+></TT
+>.<TT
+CLASS="REPLACEABLE"
+><I
+>&lt;Samba
+ Server Name&gt;</I
+></TT
+>.mac</TT
+></P
+><P
+>The <TT
+CLASS="FILENAME"
+>.mac</TT
+> suffix stands for machine account
+ password file. So in our example above, the file would be called:</P
+><P
+><TT
+CLASS="FILENAME"
+>DOM.SERV1.mac</TT
+></P
+><P
+>In Samba 2.2, this file has been replaced with a TDB
+ (Trivial Database) file named <TT
+CLASS="FILENAME"
+>secrets.tdb</TT
+>.
+ </P
+><P
+>This file is created and owned by root and is not
+ readable by any other user. It is the key to the domain-level
+ security for your system, and should be treated as carefully
+ as a shadow password file.</P
+><P
+>Now, before restarting the Samba daemons you must
+ edit your <A
HREF="smb.conf.5.html"
TARGET="_top"
><TT
@@ -119,9 +216,11 @@ CLASS="FILENAME"
>Change (or add) your <A
HREF="smb.conf.5.html#SECURITY"
TARGET="_top"
-> <VAR
+> <TT
CLASS="PARAMETER"
->security =</VAR
+><I
+>security =</I
+></TT
></A
> line in the [global] section
of your smb.conf to read:</P
@@ -129,19 +228,16 @@ CLASS="PARAMETER"
><B
CLASS="COMMAND"
>security = domain</B
-> or
- <B
-CLASS="COMMAND"
->security = ads</B
-> depending on if the PDC is
- NT4 or running Active Directory respectivly.</P
+></P
><P
>Next change the <A
HREF="smb.conf.5.html#WORKGROUP"
TARGET="_top"
-><VAR
+><TT
CLASS="PARAMETER"
-> workgroup =</VAR
+><I
+> workgroup =</I
+></TT
></A
> line in the [global] section to read: </P
><P
@@ -155,22 +251,26 @@ CLASS="COMMAND"
>You must also have the parameter <A
HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
TARGET="_top"
-> <VAR
+> <TT
CLASS="PARAMETER"
->encrypt passwords</VAR
+><I
+>encrypt passwords</I
+></TT
></A
-> set to <CODE
+> set to <TT
CLASS="CONSTANT"
>yes
- </CODE
+ </TT
> in order for your users to authenticate to the NT PDC.</P
><P
>Finally, add (or modify) a <A
HREF="smb.conf.5.html#PASSWORDSERVER"
TARGET="_top"
-> <VAR
+> <TT
CLASS="PARAMETER"
->password server =</VAR
+><I
+>password server =</I
+></TT
></A
> line in the [global]
section to read: </P
@@ -195,71 +295,11 @@ CLASS="COMMAND"
>password server = *</B
></P
><P
->This method, allows Samba to use exactly the same
- mechanism that NT does. This
+>This method, which was introduced in Samba 2.0.6,
+ allows Samba to use exactly the same mechanism that NT does. This
method either broadcasts or uses a WINS database in order to
find domain controllers to authenticate against.</P
><P
->In order to actually join the domain, you must run this
- command:</P
-><P
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><KBD
-CLASS="USERINPUT"
->net join -S DOMPDC
- -U<VAR
-CLASS="REPLACEABLE"
->Administrator%password</VAR
-></KBD
-></P
-><P
->as we are joining the domain DOM and the PDC for that domain
- (the only machine that has write access to the domain SAM database)
- is DOMPDC. The <VAR
-CLASS="REPLACEABLE"
->Administrator%password</VAR
-> is
- the login name and password for an account which has the necessary
- privilege to add machines to the domain. If this is successful
- you will see the message:</P
-><P
-><SAMP
-CLASS="COMPUTEROUTPUT"
->Joined domain DOM.</SAMP
->
- or <SAMP
-CLASS="COMPUTEROUTPUT"
->Joined 'SERV1' to realm 'MYREALM'</SAMP
->
- </P
-><P
->in your terminal window. See the <A
-HREF="net.8.html"
-TARGET="_top"
-> net(8)</A
-> man page for more details.</P
-><P
->This process joins the server to thedomain
- without having to create the machine trust account on the PDC
- beforehand.</P
-><P
->This command goes through the machine account password
- change protocol, then writes the new (random) machine account
- password for this Samba server into a file in the same directory
- in which an smbpasswd file would be stored - normally :</P
-><P
-><TT
-CLASS="FILENAME"
->/usr/local/samba/private/secrets.tdb</TT
-></P
-><P
->This file is created and owned by root and is not
- readable by any other user. It is the key to the domain-level
- security for your system, and should be treated as carefully
- as a shadow password file.</P
-><P
>Finally, restart your Samba daemons and get ready for
clients to begin using domain security!</P
></DIV
@@ -268,30 +308,37 @@ CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1381"
->8.2. Samba and Windows 2000 Domains</A
-></H1
+NAME="AEN1337">9.2. Samba and Windows 2000 Domains</H1
><P
>Many people have asked regarding the state of Samba's ability to participate in
a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode. The steps above apply
-to both NT4 and Windows 2000.</P
+2000 domain operating in mixed or native mode.</P
+><P
+>There is much confusion between the circumstances that require a "mixed" mode
+Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
+Win2k domain controller is only needed if Windows NT BDCs must exist in the same
+domain. By default, a Win2k DC in "native" mode will still support
+NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
+NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P
+><P
+>The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
+for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
+the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
+Computers" MMC (Microsoft Management Console) plugin.</P
></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
-NAME="AEN1384"
->8.3. Why is this better than security = server?</A
-></H1
+NAME="AEN1342">9.3. Why is this better than security = server?</H1
><P
>Currently, domain security in Samba doesn't free you from
having to create local Unix users to represent the users attaching
- to your server. This means that if domain user <CODE
+ to your server. This means that if domain user <TT
CLASS="CONSTANT"
>DOM\fred
- </CODE
+ </TT
> attaches to your domain security Samba server, there needs
to be a local Unix user fred to represent that user in the Unix
filesystem. This is very similar to the older Samba security mode
@@ -340,7 +387,13 @@ CLASS="COMMAND"
>And finally, acting in the same manner as an NT server
authenticating to a PDC means that as part of the authentication
reply, the Samba server gets the user identification information such
- as the user SID, the list of NT groups the user belongs to, etc. </P
+ as the user SID, the list of NT groups the user belongs to, etc. All
+ this information will allow Samba to be extended in the future into
+ a mode the developers currently call appliance mode. In this mode,
+ no local Unix users will be necessary, and Samba will generate Unix
+ uids and gids from the information passed back from the PDC when a
+ user is authenticated, making a Samba server truly plug and play
+ in an NT domain environment. Watch for this code soon.</P
><P
><SPAN
CLASS="emphasis"