diff options
Diffstat (limited to 'docs/htmldocs/domain-security.html')
-rw-r--r-- | docs/htmldocs/domain-security.html | 273 |
1 files changed, 163 insertions, 110 deletions
diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html index d47138d791..670d96ba5f 100644 --- a/docs/htmldocs/domain-security.html +++ b/docs/htmldocs/domain-security.html @@ -2,10 +2,11 @@ <HTML ><HEAD ><TITLE ->Samba as a NT4 or Win2k domain member</TITLE +>Samba as a NT4 domain member</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -72,41 +73,137 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="DOMAIN-SECURITY" -></A ->Chapter 8. Samba as a NT4 or Win2k domain member</H1 +NAME="DOMAIN-SECURITY">Chapter 9. Samba as a NT4 domain member</H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1326" ->8.1. Joining an NT Domain with Samba 3.0</A -></H1 +NAME="AEN1273">9.1. Joining an NT Domain with Samba 2.2</H1 ><P ->Assume you have a Samba 3.0 server with a NetBIOS name of - <CODE +>Assume you have a Samba 2.x server with a NetBIOS name of + <TT CLASS="CONSTANT" ->SERV1</CODE -> and are joining an or Win2k NT domain called - <CODE +>SERV1</TT +> and are joining an NT domain called + <TT CLASS="CONSTANT" ->DOM</CODE +>DOM</TT >, which has a PDC with a NetBIOS name - of <CODE + of <TT CLASS="CONSTANT" ->DOMPDC</CODE +>DOMPDC</TT > and two backup domain controllers - with NetBIOS names <CODE + with NetBIOS names <TT CLASS="CONSTANT" ->DOMBDC1</CODE -> and <CODE +>DOMBDC1</TT +> and <TT CLASS="CONSTANT" >DOMBDC2 - </CODE + </TT >.</P ><P ->Firstly, you must edit your <A +>In order to join the domain, first stop all Samba daemons + and run the command:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><TT +CLASS="USERINPUT" +><B +>smbpasswd -j DOM -r DOMPDC + -U<TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +></B +></TT +></P +><P +>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</P +><P +><TT +CLASS="COMPUTEROUTPUT" +>smbpasswd: Joined domain DOM.</TT +> + </P +><P +>in your terminal window. See the <A +HREF="smbpasswd.8.html" +TARGET="_top" +> smbpasswd(8)</A +> man page for more details.</P +><P +>There is existing development code to join a domain + without having to create the machine trust account on the PDC + beforehand. This code will hopefully be available soon + in release branches as well.</P +><P +>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</P +><P +><TT +CLASS="FILENAME" +>/usr/local/samba/private</TT +></P +><P +>In Samba 2.0.x, the filename looks like this:</P +><P +><TT +CLASS="FILENAME" +><TT +CLASS="REPLACEABLE" +><I +><NT DOMAIN NAME></I +></TT +>.<TT +CLASS="REPLACEABLE" +><I +><Samba + Server Name></I +></TT +>.mac</TT +></P +><P +>The <TT +CLASS="FILENAME" +>.mac</TT +> suffix stands for machine account + password file. So in our example above, the file would be called:</P +><P +><TT +CLASS="FILENAME" +>DOM.SERV1.mac</TT +></P +><P +>In Samba 2.2, this file has been replaced with a TDB + (Trivial Database) file named <TT +CLASS="FILENAME" +>secrets.tdb</TT +>. + </P +><P +>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</P +><P +>Now, before restarting the Samba daemons you must + edit your <A HREF="smb.conf.5.html" TARGET="_top" ><TT @@ -119,9 +216,11 @@ CLASS="FILENAME" >Change (or add) your <A HREF="smb.conf.5.html#SECURITY" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->security =</VAR +><I +>security =</I +></TT ></A > line in the [global] section of your smb.conf to read:</P @@ -129,19 +228,16 @@ CLASS="PARAMETER" ><B CLASS="COMMAND" >security = domain</B -> or - <B -CLASS="COMMAND" ->security = ads</B -> depending on if the PDC is - NT4 or running Active Directory respectivly.</P +></P ><P >Next change the <A HREF="smb.conf.5.html#WORKGROUP" TARGET="_top" -><VAR +><TT CLASS="PARAMETER" -> workgroup =</VAR +><I +> workgroup =</I +></TT ></A > line in the [global] section to read: </P ><P @@ -155,22 +251,26 @@ CLASS="COMMAND" >You must also have the parameter <A HREF="smb.conf.5.html#ENCRYPTPASSWORDS" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->encrypt passwords</VAR +><I +>encrypt passwords</I +></TT ></A -> set to <CODE +> set to <TT CLASS="CONSTANT" >yes - </CODE + </TT > in order for your users to authenticate to the NT PDC.</P ><P >Finally, add (or modify) a <A HREF="smb.conf.5.html#PASSWORDSERVER" TARGET="_top" -> <VAR +> <TT CLASS="PARAMETER" ->password server =</VAR +><I +>password server =</I +></TT ></A > line in the [global] section to read: </P @@ -195,71 +295,11 @@ CLASS="COMMAND" >password server = *</B ></P ><P ->This method, allows Samba to use exactly the same - mechanism that NT does. This +>This method, which was introduced in Samba 2.0.6, + allows Samba to use exactly the same mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against.</P ><P ->In order to actually join the domain, you must run this - command:</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->net join -S DOMPDC - -U<VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -></KBD -></P -><P ->as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The <VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -> is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:</P -><P -><SAMP -CLASS="COMPUTEROUTPUT" ->Joined domain DOM.</SAMP -> - or <SAMP -CLASS="COMPUTEROUTPUT" ->Joined 'SERV1' to realm 'MYREALM'</SAMP -> - </P -><P ->in your terminal window. See the <A -HREF="net.8.html" -TARGET="_top" -> net(8)</A -> man page for more details.</P -><P ->This process joins the server to thedomain - without having to create the machine trust account on the PDC - beforehand.</P -><P ->This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private/secrets.tdb</TT -></P -><P ->This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</P -><P >Finally, restart your Samba daemons and get ready for clients to begin using domain security!</P ></DIV @@ -268,30 +308,37 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1381" ->8.2. Samba and Windows 2000 Domains</A -></H1 +NAME="AEN1337">9.2. Samba and Windows 2000 Domains</H1 ><P >Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode. The steps above apply -to both NT4 and Windows 2000.</P +2000 domain operating in mixed or native mode.</P +><P +>There is much confusion between the circumstances that require a "mixed" mode +Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode +Win2k domain controller is only needed if Windows NT BDCs must exist in the same +domain. By default, a Win2k DC in "native" mode will still support +NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and +NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P +><P +>The steps for adding a Samba 2.2 host to a Win2k domain are the same as those +for adding a Samba server to a Windows NT 4.0 domain. The only exception is that +the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and +Computers" MMC (Microsoft Management Console) plugin.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1384" ->8.3. Why is this better than security = server?</A -></H1 +NAME="AEN1342">9.3. Why is this better than security = server?</H1 ><P >Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching - to your server. This means that if domain user <CODE + to your server. This means that if domain user <TT CLASS="CONSTANT" >DOM\fred - </CODE + </TT > attaches to your domain security Samba server, there needs to be a local Unix user fred to represent that user in the Unix filesystem. This is very similar to the older Samba security mode @@ -340,7 +387,13 @@ CLASS="COMMAND" >And finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. </P + as the user SID, the list of NT groups the user belongs to, etc. All + this information will allow Samba to be extended in the future into + a mode the developers currently call appliance mode. In this mode, + no local Unix users will be necessary, and Samba will generate Unix + uids and gids from the information passed back from the PDC when a + user is authenticated, making a Samba server truly plug and play + in an NT domain environment. Watch for this code soon.</P ><P ><SPAN CLASS="emphasis" |