summaryrefslogtreecommitdiff
path: root/docs/htmldocs/domain-security.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/htmldocs/domain-security.html')
-rw-r--r--docs/htmldocs/domain-security.html427
1 files changed, 0 insertions, 427 deletions
diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html
deleted file mode 100644
index ddbc4624b8..0000000000
--- a/docs/htmldocs/domain-security.html
+++ /dev/null
@@ -1,427 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<HTML
-><HEAD
-><TITLE
->Samba as a NT4 or Win2k domain member</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
-REL="HOME"
-TITLE="SAMBA Project Documentation"
-HREF="samba-howto-collection.html"><LINK
-REL="UP"
-TITLE="Type of installation"
-HREF="type.html"><LINK
-REL="PREVIOUS"
-TITLE="Samba as a ADS domain member"
-HREF="ads.html"><LINK
-REL="NEXT"
-TITLE="Advanced Configuration"
-HREF="optional.html"></HEAD
-><BODY
-CLASS="CHAPTER"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->SAMBA Project Documentation</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="ads.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="optional.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="CHAPTER"
-><H1
-><A
-NAME="DOMAIN-SECURITY"
-></A
->Chapter 9. Samba as a NT4 or Win2k domain member</H1
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1439"
->9.1. Joining an NT Domain with Samba 3.0</A
-></H1
-><P
->Assume you have a Samba 3.0 server with a NetBIOS name of
- <CODE
-CLASS="CONSTANT"
->SERV1</CODE
-> and are joining an or Win2k NT domain called
- <CODE
-CLASS="CONSTANT"
->DOM</CODE
->, which has a PDC with a NetBIOS name
- of <CODE
-CLASS="CONSTANT"
->DOMPDC</CODE
-> and two backup domain controllers
- with NetBIOS names <CODE
-CLASS="CONSTANT"
->DOMBDC1</CODE
-> and <CODE
-CLASS="CONSTANT"
->DOMBDC2
- </CODE
->.</P
-><P
->Firstly, you must edit your <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file to tell Samba it should
- now use domain security.</P
-><P
->Change (or add) your <A
-HREF="smb.conf.5.html#SECURITY"
-TARGET="_top"
-> <VAR
-CLASS="PARAMETER"
->security =</VAR
-></A
-> line in the [global] section
- of your <TT
-CLASS="FILENAME"
->smb.conf</TT
-> to read:</P
-><P
-><B
-CLASS="COMMAND"
->security = domain</B
-></P
-><P
->Next change the <A
-HREF="smb.conf.5.html#WORKGROUP"
-TARGET="_top"
-><VAR
-CLASS="PARAMETER"
-> workgroup =</VAR
-></A
-> line in the [global] section to read: </P
-><P
-><B
-CLASS="COMMAND"
->workgroup = DOM</B
-></P
-><P
->as this is the name of the domain we are joining. </P
-><P
->You must also have the parameter <A
-HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
-TARGET="_top"
-> <VAR
-CLASS="PARAMETER"
->encrypt passwords</VAR
-></A
-> set to <CODE
-CLASS="CONSTANT"
->yes
- </CODE
-> in order for your users to authenticate to the NT PDC.</P
-><P
->Finally, add (or modify) a <A
-HREF="smb.conf.5.html#PASSWORDSERVER"
-TARGET="_top"
-> <VAR
-CLASS="PARAMETER"
->password server =</VAR
-></A
-> line in the [global]
- section to read: </P
-><P
-><B
-CLASS="COMMAND"
->password server = DOMPDC DOMBDC1 DOMBDC2</B
-></P
-><P
->These are the primary and backup domain controllers Samba
- will attempt to contact in order to authenticate users. Samba will
- try to contact each of these servers in order, so you may want to
- rearrange this list in order to spread out the authentication load
- among domain controllers.</P
-><P
->Alternatively, if you want smbd to automatically determine
- the list of Domain controllers to use for authentication, you may
- set this line to be :</P
-><P
-><B
-CLASS="COMMAND"
->password server = *</B
-></P
-><P
->This method, allows Samba to use exactly the same
- mechanism that NT does. This
- method either broadcasts or uses a WINS database in order to
- find domain controllers to authenticate against.</P
-><P
->In order to actually join the domain, you must run this
- command:</P
-><P
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><KBD
-CLASS="USERINPUT"
->net rpc join -S DOMPDC
- -U<VAR
-CLASS="REPLACEABLE"
->Administrator%password</VAR
-></KBD
-></P
-><P
->as we are joining the domain DOM and the PDC for that domain
- (the only machine that has write access to the domain SAM database)
- is DOMPDC. The <VAR
-CLASS="REPLACEABLE"
->Administrator%password</VAR
-> is
- the login name and password for an account which has the necessary
- privilege to add machines to the domain. If this is successful
- you will see the message:</P
-><P
-><SAMP
-CLASS="COMPUTEROUTPUT"
->Joined domain DOM.</SAMP
->
- or <SAMP
-CLASS="COMPUTEROUTPUT"
->Joined 'SERV1' to realm 'MYREALM'</SAMP
->
- </P
-><P
->in your terminal window. See the <A
-HREF="net.8.html"
-TARGET="_top"
-> net(8)</A
-> man page for more details.</P
-><P
->This process joins the server to thedomain
- without having to create the machine trust account on the PDC
- beforehand.</P
-><P
->This command goes through the machine account password
- change protocol, then writes the new (random) machine account
- password for this Samba server into a file in the same directory
- in which an smbpasswd file would be stored - normally :</P
-><P
-><TT
-CLASS="FILENAME"
->/usr/local/samba/private/secrets.tdb</TT
-></P
-><P
->This file is created and owned by root and is not
- readable by any other user. It is the key to the domain-level
- security for your system, and should be treated as carefully
- as a shadow password file.</P
-><P
->Finally, restart your Samba daemons and get ready for
- clients to begin using domain security!</P
-></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="AEN1493"
->9.2. Why is this better than security = server?</A
-></H1
-><P
->Currently, domain security in Samba doesn't free you from
- having to create local Unix users to represent the users attaching
- to your server. This means that if domain user <CODE
-CLASS="CONSTANT"
->DOM\fred
- </CODE
-> attaches to your domain security Samba server, there needs
- to be a local Unix user fred to represent that user in the Unix
- filesystem. This is very similar to the older Samba security mode
- <A
-HREF="smb.conf.5.html#SECURITYEQUALSSERVER"
-TARGET="_top"
->security = server</A
->,
- where Samba would pass through the authentication request to a Windows
- NT server in the same way as a Windows 95 or Windows 98 server would.
- </P
-><P
->Please refer to the <A
-HREF="winbind.html"
-TARGET="_top"
->Winbind
- paper</A
-> for information on a system to automatically
- assign UNIX uids and gids to Windows NT Domain users and groups.
- This code is available in development branches only at the moment,
- but will be moved to release branches soon.</P
-><P
->The advantage to domain-level security is that the
- authentication in domain-level security is passed down the authenticated
- RPC channel in exactly the same way that an NT server would do it. This
- means Samba servers now participate in domain trust relationships in
- exactly the same way NT servers do (i.e., you can add Samba servers into
- a resource domain and have the authentication passed on from a resource
- domain PDC to an account domain PDC.</P
-><P
->In addition, with <B
-CLASS="COMMAND"
->security = server</B
-> every Samba
- daemon on a server has to keep a connection open to the
- authenticating server for as long as that daemon lasts. This can drain
- the connection resources on a Microsoft NT server and cause it to run
- out of available connections. With <B
-CLASS="COMMAND"
->security = domain</B
->,
- however, the Samba daemons connect to the PDC/BDC only for as long
- as is necessary to authenticate the user, and then drop the connection,
- thus conserving PDC connection resources.</P
-><P
->And finally, acting in the same manner as an NT server
- authenticating to a PDC means that as part of the authentication
- reply, the Samba server gets the user identification information such
- as the user SID, the list of NT groups the user belongs to, etc. </P
-><DIV
-CLASS="NOTE"
-><P
-></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
-> Much of the text of this document
- was first published in the Web magazine <A
-HREF="http://www.linuxworld.com"
-TARGET="_top"
->
- LinuxWorld</A
-> as the article <A
-HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
-TARGET="_top"
->Doing
- the NIS/NT Samba</A
->.</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="ads.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="samba-howto-collection.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="optional.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->Samba as a ADS domain member</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="type.html"
-ACCESSKEY="U"
->Up</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Advanced Configuration</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
-> \ No newline at end of file