diff options
Diffstat (limited to 'docs/htmldocs/domain-security.html')
| -rw-r--r-- | docs/htmldocs/domain-security.html | 427 |
1 files changed, 0 insertions, 427 deletions
diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html deleted file mode 100644 index ddbc4624b8..0000000000 --- a/docs/htmldocs/domain-security.html +++ /dev/null @@ -1,427 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Samba as a NT4 or Win2k domain member</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK -REL="HOME" -TITLE="SAMBA Project Documentation" -HREF="samba-howto-collection.html"><LINK -REL="UP" -TITLE="Type of installation" -HREF="type.html"><LINK -REL="PREVIOUS" -TITLE="Samba as a ADS domain member" -HREF="ads.html"><LINK -REL="NEXT" -TITLE="Advanced Configuration" -HREF="optional.html"></HEAD -><BODY -CLASS="CHAPTER" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->SAMBA Project Documentation</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="ads.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="optional.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="CHAPTER" -><H1 -><A -NAME="DOMAIN-SECURITY" -></A ->Chapter 9. Samba as a NT4 or Win2k domain member</H1 -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1439" ->9.1. Joining an NT Domain with Samba 3.0</A -></H1 -><P ->Assume you have a Samba 3.0 server with a NetBIOS name of - <CODE -CLASS="CONSTANT" ->SERV1</CODE -> and are joining an or Win2k NT domain called - <CODE -CLASS="CONSTANT" ->DOM</CODE ->, which has a PDC with a NetBIOS name - of <CODE -CLASS="CONSTANT" ->DOMPDC</CODE -> and two backup domain controllers - with NetBIOS names <CODE -CLASS="CONSTANT" ->DOMBDC1</CODE -> and <CODE -CLASS="CONSTANT" ->DOMBDC2 - </CODE ->.</P -><P ->Firstly, you must edit your <TT -CLASS="FILENAME" ->smb.conf</TT -> file to tell Samba it should - now use domain security.</P -><P ->Change (or add) your <A -HREF="smb.conf.5.html#SECURITY" -TARGET="_top" -> <VAR -CLASS="PARAMETER" ->security =</VAR -></A -> line in the [global] section - of your <TT -CLASS="FILENAME" ->smb.conf</TT -> to read:</P -><P -><B -CLASS="COMMAND" ->security = domain</B -></P -><P ->Next change the <A -HREF="smb.conf.5.html#WORKGROUP" -TARGET="_top" -><VAR -CLASS="PARAMETER" -> workgroup =</VAR -></A -> line in the [global] section to read: </P -><P -><B -CLASS="COMMAND" ->workgroup = DOM</B -></P -><P ->as this is the name of the domain we are joining. </P -><P ->You must also have the parameter <A -HREF="smb.conf.5.html#ENCRYPTPASSWORDS" -TARGET="_top" -> <VAR -CLASS="PARAMETER" ->encrypt passwords</VAR -></A -> set to <CODE -CLASS="CONSTANT" ->yes - </CODE -> in order for your users to authenticate to the NT PDC.</P -><P ->Finally, add (or modify) a <A -HREF="smb.conf.5.html#PASSWORDSERVER" -TARGET="_top" -> <VAR -CLASS="PARAMETER" ->password server =</VAR -></A -> line in the [global] - section to read: </P -><P -><B -CLASS="COMMAND" ->password server = DOMPDC DOMBDC1 DOMBDC2</B -></P -><P ->These are the primary and backup domain controllers Samba - will attempt to contact in order to authenticate users. Samba will - try to contact each of these servers in order, so you may want to - rearrange this list in order to spread out the authentication load - among domain controllers.</P -><P ->Alternatively, if you want smbd to automatically determine - the list of Domain controllers to use for authentication, you may - set this line to be :</P -><P -><B -CLASS="COMMAND" ->password server = *</B -></P -><P ->This method, allows Samba to use exactly the same - mechanism that NT does. This - method either broadcasts or uses a WINS database in order to - find domain controllers to authenticate against.</P -><P ->In order to actually join the domain, you must run this - command:</P -><P -><SAMP -CLASS="PROMPT" ->root# </SAMP -><KBD -CLASS="USERINPUT" ->net rpc join -S DOMPDC - -U<VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -></KBD -></P -><P ->as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The <VAR -CLASS="REPLACEABLE" ->Administrator%password</VAR -> is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:</P -><P -><SAMP -CLASS="COMPUTEROUTPUT" ->Joined domain DOM.</SAMP -> - or <SAMP -CLASS="COMPUTEROUTPUT" ->Joined 'SERV1' to realm 'MYREALM'</SAMP -> - </P -><P ->in your terminal window. See the <A -HREF="net.8.html" -TARGET="_top" -> net(8)</A -> man page for more details.</P -><P ->This process joins the server to thedomain - without having to create the machine trust account on the PDC - beforehand.</P -><P ->This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private/secrets.tdb</TT -></P -><P ->This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</P -><P ->Finally, restart your Samba daemons and get ready for - clients to begin using domain security!</P -></DIV -><DIV -CLASS="SECT1" -><H1 -CLASS="SECT1" -><A -NAME="AEN1493" ->9.2. Why is this better than security = server?</A -></H1 -><P ->Currently, domain security in Samba doesn't free you from - having to create local Unix users to represent the users attaching - to your server. This means that if domain user <CODE -CLASS="CONSTANT" ->DOM\fred - </CODE -> attaches to your domain security Samba server, there needs - to be a local Unix user fred to represent that user in the Unix - filesystem. This is very similar to the older Samba security mode - <A -HREF="smb.conf.5.html#SECURITYEQUALSSERVER" -TARGET="_top" ->security = server</A ->, - where Samba would pass through the authentication request to a Windows - NT server in the same way as a Windows 95 or Windows 98 server would. - </P -><P ->Please refer to the <A -HREF="winbind.html" -TARGET="_top" ->Winbind - paper</A -> for information on a system to automatically - assign UNIX uids and gids to Windows NT Domain users and groups. - This code is available in development branches only at the moment, - but will be moved to release branches soon.</P -><P ->The advantage to domain-level security is that the - authentication in domain-level security is passed down the authenticated - RPC channel in exactly the same way that an NT server would do it. This - means Samba servers now participate in domain trust relationships in - exactly the same way NT servers do (i.e., you can add Samba servers into - a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC.</P -><P ->In addition, with <B -CLASS="COMMAND" ->security = server</B -> every Samba - daemon on a server has to keep a connection open to the - authenticating server for as long as that daemon lasts. This can drain - the connection resources on a Microsoft NT server and cause it to run - out of available connections. With <B -CLASS="COMMAND" ->security = domain</B ->, - however, the Samba daemons connect to the PDC/BDC only for as long - as is necessary to authenticate the user, and then drop the connection, - thus conserving PDC connection resources.</P -><P ->And finally, acting in the same manner as an NT server - authenticating to a PDC means that as part of the authentication - reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. </P -><DIV -CLASS="NOTE" -><P -></P -><TABLE -CLASS="NOTE" -WIDTH="100%" -BORDER="0" -><TR -><TD -WIDTH="25" -ALIGN="CENTER" -VALIGN="TOP" -><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" -HSPACE="5" -ALT="Note"></TD -><TD -ALIGN="LEFT" -VALIGN="TOP" -><P -> Much of the text of this document - was first published in the Web magazine <A -HREF="http://www.linuxworld.com" -TARGET="_top" -> - LinuxWorld</A -> as the article <A -HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" -TARGET="_top" ->Doing - the NIS/NT Samba</A ->.</P -></TD -></TR -></TABLE -></DIV -></DIV -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="ads.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="samba-howto-collection.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="optional.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->Samba as a ADS domain member</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="type.html" -ACCESSKEY="U" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Advanced Configuration</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file |