diff options
Diffstat (limited to 'docs/htmldocs/samba-pdc.html')
| -rw-r--r-- | docs/htmldocs/samba-pdc.html | 510 |
1 files changed, 510 insertions, 0 deletions
diff --git a/docs/htmldocs/samba-pdc.html b/docs/htmldocs/samba-pdc.html new file mode 100644 index 0000000000..aab2d4207c --- /dev/null +++ b/docs/htmldocs/samba-pdc.html @@ -0,0 +1,510 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 5. Domain Control</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="type.html" title="Part II. Server Configuration Basics"><link rel="previous" href="ServerType.html" title="Chapter 4. Server Types and Security Modes"><link rel="next" href="samba-bdc.html" title="Chapter 6. Backup Domain Control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Domain Control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><th width="60%" align="center">Part II. Server Configuration Basics</th><td width="20%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="samba-pdc"></a>Chapter 5. Domain Control</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">David</span> <span class="surname">Bannon</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:dbannon@samba.org">dbannon@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="samba-pdc.html#id2886861">Features and Benefits</a></dt><dt><a href="samba-pdc.html#id2887076">Basics of Domain Control</a></dt><dd><dl><dt><a href="samba-pdc.html#id2887090">Domain Controller Types</a></dt><dt><a href="samba-pdc.html#id2887335">Preparing for Domain Control</a></dt></dl></dd><dt><a href="samba-pdc.html#id2887717">Domain Control - Example Configuration</a></dt><dt><a href="samba-pdc.html#id2888205">Samba ADS Domain Control</a></dt><dt><a href="samba-pdc.html#id2888257">Domain and Network Logon Configuration</a></dt><dd><dl><dt><a href="samba-pdc.html#id2888272">Domain Network Logon Service</a></dt><dt><a href="samba-pdc.html#id2888704">Security Mode and Master Browsers</a></dt></dl></dd><dt><a href="samba-pdc.html#id2888850">Common Errors</a></dt><dd><dl><dt><a href="samba-pdc.html#id2888857">'$' cannot be included in machine name</a></dt><dt><a href="samba-pdc.html#id2888916">Joining domain fails because of existing machine account</a></dt><dt><a href="samba-pdc.html#id2888975">The system can not log you on (C000019B)....</a></dt><dt><a href="samba-pdc.html#id2889059">The machine trust account not accessible</a></dt><dt><a href="samba-pdc.html#id2889131">Account disabled</a></dt><dt><a href="samba-pdc.html#id2889164">Domain Controller Unavailable</a></dt><dt><a href="samba-pdc.html#id2889186">Can not log onto domain member workstation after joining domain</a></dt></dl></dd></dl></div><p><b><span class="emphasis"><em>The Essence of Learning:</em></span> </b> +There are many who approach MS Windows networking with incredible misconceptions. +That's OK, because it gives the rest of us plenty of opportunity to be of assistance. +Those who really want help would be well advised to become familiar with information +that is already available. +</p><p> +The reader is advised NOT to tackle this section without having first understood +and mastered some basics. MS Windows networking is not particularly forgiving of +misconfiguration. Users of MS Windows networking are likely to complain +of persistent niggles that may be caused by a broken network configuration. +To a great many people however, MS Windows networking starts with a domain controller +that in some magical way is expected to solve all ills. +</p><div class="figure"><a name="domain-example"></a><p class="title"><b>Figure 5.1. An Example Domain</b></p><div class="mediaobject"><img src="projdoc/imagefiles/domain.png" width="270" alt="An Example Domain"></div></div><p> +From the Samba mailing list one can readily identify many common networking issues. +If you are not clear on the following subjects, then it will do much good to read the +sections of this HOWTO that deal with it. These are the most common causes of MS Windows +networking problems: +</p><div class="itemizedlist"><ul type="disc"><li><p>Basic TCP/IP configuration</p></li><li><p>NetBIOS name resolution</p></li><li><p>Authentication configuration</p></li><li><p>User and Group configuration</p></li><li><p>Basic File and Directory Permission Control in UNIX/Linux</p></li><li><p>Understanding of how MS Windows clients interoperate in a network + environment</p></li></ul></div><p> +Do not be put off; on the surface of it MS Windows networking seems so simple that anyone +can do it. In fact, it is not a good idea to set up an MS Windows network with +inadequate training and preparation. But let's get our first indelible principle out of the +way: <span class="emphasis"><em>It is perfectly OK to make mistakes!</em></span> In the right place and at +the right time, mistakes are the essence of learning. It is <span class="emphasis"><em>very much</em></span> +not ok to make mistakes that cause loss of productivity and impose an avoidable financial +burden on an organisation. +</p><p> +Where is the right place to make mistakes? Only out of harm's way! If you are going to +make mistakes, then please do this on a test network, away from users and in such a way as +to not inflict pain on others. Do your learning on a test network. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2886861"></a>Features and Benefits</h2></div></div><div></div></div><p> +<span class="emphasis"><em>What is the key benefit of Microsoft Domain security?</em></span> +</p><p> +In a word, <span class="emphasis"><em>Single Sign On</em></span>, or SSO for short. To many, this is the holy +grail of MS Windows NT and beyond networking. SSO allows users in a well designed network +to log onto any workstation that is a member of the domain that their user account is in +(or in a domain that has an appropriate trust relationship with the domain they are visiting) +and they will be able to log onto the network and access resources (shares, files, and printers) +as if they are sitting at their home (personal) workstation. This is a feature of the Domain +security protocols. +</p><p> +The benefits of Domain security are available to those sites that deploy a Samba PDC. +A Domain provides a unique network security identifier (SID). Domain user and group security +identifiers are comprised of the network SID plus a relative identifier (RID) that is unique to +the account. User and Group SIDs (the network SID plus the RID) can be used to create Access Control +Lists (ACLs) attached to network resources to provide organizational access control. UNIX systems +know only of local security identifiers. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Network clients of an MS Windows Domain security environment must be Domain members to be +able to gain access to the advanced features provided. Domain membership involves more than just +setting the workgroup name to the Domain name. It requires the creation of a Domain trust account +for the workstation (called a machine account). Please refer to the chapter on +<a href="domain-member.html" title="Chapter 7. Domain Membership">setting up samba as a domain member</a> for more information. +</p></div><p> +The following functionalities are new to the Samba-3 release: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Windows NT4 domain trusts + </p></li><li><p> + Adding users via the User Manager for Domains. This can be done on any MS Windows + client using the Nexus toolkit that is available from Microsoft's web site. + Samba-3 supports the use of the Microsoft Management Console for user management. + </p></li><li><p> + Introduces replaceable and multiple user account (authentication) + back ends. In the case where the back end is placed in an LDAP database, + Samba-3 confers the benefits of a back end that can be distributed, replicated, + and is highly scalable. + </p></li><li><p> + Implements full Unicode support. This simplifies cross locale internationalisation + support. It also opens up the use of protocols that Samba-2.2.x had but could not use due + to the need to fully support Unicode. + </p></li></ul></div><p> +The following functionalities are NOT provided by Samba-3: +</p><div class="itemizedlist"><ul type="disc"><li><p> + SAM replication with Windows NT4 Domain Controllers + (i.e. a Samba PDC and a Windows NT BDC or vice versa). This means samba + cannot operate as a BDC when the PDC is Microsoft-based or + replicate account data to Windows-BDC's. + </p></li><li><p> + Acting as a Windows 2000 Domain Controller (i.e. Kerberos and + Active Directory) - In point of fact, Samba-3 DOES have some + Active Directory Domain Control ability that is at this time + purely experimental <span class="emphasis"><em>AND</em></span> that is certain + to change as it becomes a fully supported feature some time + during the Samba-3 (or later) life cycle. However, Active Directory is + more then just SMB - it's also LDAP, Kerberos, DHCP and other protocols + (with proprietary extensions, of course). + </p></li></ul></div><p> +Windows 9x / Me / XP Home clients are not true members of a domain for reasons outlined +in this chapter. The protocol for support of Windows 9x / Me style network (domain) logons +is completely different from NT4 / Win2k type domain logons and has been officially supported +for some time. These clients use the old LanMan Network Logon facilities that are supported +in Samba since approximately the Samba-1.9.15 series. +</p><p> +Samba-3 has an implementation of group mapping between Windows NT groups +and UNIX groups (this is really quite complicated to explain in a short space). This is +discussed more fully in <a href="groupmapping.html" title="Chapter 12. Mapping MS Windows and UNIX Groups">the chapter on group mapping</a>. +</p><p> +Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store +user and machine trust account information in a suitable backend data store. +Refer <a href="domain-member.html#machine-trust-accounts" title="MS Windows Workstation/Server Machine Trust Accounts">to the section on machine trust accounts</a>. With Samba-3 there can be multiple +back-ends for this. A complete discussion of account database backends can be found in +<a href="passdb.html" title="Chapter 11. Account Information Databases">the chapter on Account Information Databases</a>. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887076"></a>Basics of Domain Control</h2></div></div><div></div></div><p> +Over the years, public perceptions of what Domain Control really is has taken on an +almost mystical nature. Before we branch into a brief overview of Domain Control, +there are three basic types of domain controllers: +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887090"></a>Domain Controller Types</h3></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Primary Domain Controller</p></li><li><p>Backup Domain Controller</p></li><li><p>ADS Domain Controller</p></li></ul></div><p> +The <span class="emphasis"><em>Primary Domain Controller</em></span> or PDC plays an important role in the MS +Windows NT4. In Windows 200x Domain Control architecture this role is held by domain controllers. +There is folk lore that dictates that because of it's role in the MS Windows +network, the domain controllers should be the most powerful and most capable machine in the network. +As strange as it may seem to say this here, good over all network performance dictates that +the entire infrastructure needs to be balanced. It is advisable to invest more in Stand-Alone +(or Domain Member) servers than in the domain controllers. +</p><p> +In the case of MS Windows NT4 style domains, it is the PDC that initiates a new Domain Control database. +This forms a part of the Windows registry called the SAM (Security Account Manager). It plays a key +part in NT4 type domain user authentication and in synchronisation of the domain authentication +database with Backup Domain Controllers. +</p><p> +With MS Windows 200x Server based Active Directory domains, one domain controller initiates a potential +hierarchy of domain controllers, each with their own area of delegated control. The master domain +controller has the ability to override any down-stream controller, but a down-line controller has +control only over it's down-line. With Samba-3 this functionality can be implemented using an +LDAP based user and machine account back end. +</p><p> +New to Samba-3 is the ability to use a back-end database that holds the same type of data as +the NT4 style SAM (Security Account Manager) database (one of the registry files). +<sup>[<a name="id2887167" href="#ftn.id2887167">1</a>]</sup> +</p><p> +The <span class="emphasis"><em>Backup Domain Controller</em></span> or BDC plays a key role in servicing network +authentication requests. The BDC is biased to answer logon requests in preference to the PDC. +On a network segment that has a BDC and a PDC the BDC will be most likely to service network +logon requests. The PDC will answer network logon requests when the BDC is too busy (high load). +A BDC can be promoted to a PDC. If the PDC is on line at the time that a BDC is promoted to +PDC, the previous PDC is automatically demoted to a BDC. With Samba-3 this is NOT an automatic +operation; the PDC and BDC must be manually configured and changes need to be made likewise. +</p><p> +With MS Windows NT4, it is an install time decision what type of machine the server will be. +It is possible to change the promote a BDC to a PDC and vice versa only, but the only way +to convert a domain controller to a domain member server or a stand-alone server is to +reinstall it. The install time choices offered are: +</p><div class="itemizedlist"><ul type="disc"><li><p><span class="emphasis"><em>Primary Domain Controller</em></span> - The one that seeds the domain SAM</p></li><li><p><span class="emphasis"><em>Backup Domain Controller</em></span> - One that obtains a copy of the domain SAM</p></li><li><p><span class="emphasis"><em>Domain Member Server</em></span> - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</p></li><li><p><span class="emphasis"><em>Stand-Alone Server</em></span> - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</p></li></ul></div><p> +With MS Windows 2000 the configuration of domain control is done after the server has been +installed. Samba-3 is capable of acting fully as a native member of a Windows 200x server +Active Directory domain. +</p><p> +New to Samba-3 is the ability to function fully as an MS Windows NT4 style Domain Controller, +excluding the SAM replication components. However, please be aware that Samba-3 support the +MS Windows 200x domain control protocols also. +</p><p> +At this time any appearance that Samba-3 is capable of acting as an +<span class="emphasis"><em>Domain Controller</em></span> in native ADS mode is limited and experimental in nature. +This functionality should not be used until the Samba-Team offers formal support for it. +At such a time, the documentation will be revised to duly reflect all configuration and +management requirements. Samba can act as a NT4-style DC in a Windows 2000/XP +environment. However, there are certain compromises: + +</p><div class="itemizedlist"><ul type="disc"><li><p>No machine policy files</p></li><li><p>No Group Policy Objects</p></li><li><p>No synchronously executed AD logon scripts</p></li><li><p>Can't use ANY Active Directory management tools to manage users and machines</p></li><li><p>Registry changes tattoo the main registry, while with AD they do NOT. ie: Leave permanent changes in effect</p></li><li><p>Without AD you can not peprform the function of exporting specific applications to specific users or groups</p></li></ul></div><p> +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2887335"></a>Preparing for Domain Control</h3></div></div><div></div></div><p> +There are two ways that MS Windows machines may interact with each other, with other servers, +and with Domain Controllers: Either as <span class="emphasis"><em>Stand-Alone</em></span> systems, more commonly +called <span class="emphasis"><em>Workgroup</em></span> members, or as full participants in a security system, +more commonly called <span class="emphasis"><em>Domain</em></span> members. +</p><p> +It should be noted that <span class="emphasis"><em>Workgroup</em></span> membership involve no special configuration +other than the machine being configured so that the network configuration has a commonly used name +for it's workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this +mode of configuration there are NO machine trust accounts and any concept of membership as such +is limited to the fact that all machines appear in the network neighbourhood to be logically +grouped together. Again, just to be clear: <span class="emphasis"><em>workgroup mode does not involve any security machine +accounts</em></span>. +</p><p> +Domain member machines have a machine account in the Domain accounts database. A special procedure +must be followed on each machine to affect Domain membership. This procedure, which can be done +only by the local machine Administrator account, will create the Domain machine account (if +if does not exist), and then initializes that account. When the client first logs onto the +Domain it triggers a machine password change. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +When running a Domain all MS Windows NT / 200x / XP Professional clients should be configured +as full Domain Members - IF A SECURE NETWORK IS WANTED. If the machine is NOT made a member of the +Domain, then it will operate like a workgroup (stand-alone) machine. Please refer to +<a href="domain-member.html" title="Chapter 7. Domain Membership">the chapter on domain membership</a> for information regarding HOW to make your MS Windows clients Domain members. +</p></div><p> +The following are necessary for configuring Samba-3 as an MS Windows NT4 style PDC for MS Windows +NT4 / 200x / XP clients. +</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows Networking</p></li><li><p>Correct designation of the Server Role (<a class="indexterm" name="id2887441"></a><i class="parameter"><tt>security</tt></i> = user)</p></li><li><p>Consistent configuration of Name Resolution (See chapter on <a href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide">Network Browsing</a> and on + <a href="integrate-ms-networks.html" title="Chapter 26. Integrating MS Windows networks with Samba">Integrating Unix into Windows networks</a>)</p></li><li><p>Domain logons for Windows NT4 / 200x / XP Professional clients</p></li><li><p>Configuration of Roaming Profiles or explicit configuration to force local profile usage</p></li><li><p>Configuration of Network/System Policies</p></li><li><p>Adding and managing domain user accounts</p></li><li><p>Configuring MS Windows client machines to become domain members</p></li></ul></div><p> +The following provisions are required to serve MS Windows 9x / Me Clients: +</p><div class="itemizedlist"><ul type="disc"><li><p>Configuration of basic TCP/IP and MS Windows Networking</p></li><li><p>Correct designation of the Server Role (<a class="indexterm" name="id2887534"></a><i class="parameter"><tt>security</tt></i> = user)</p></li><li><p>Network Logon Configuration (Since Windows 9x / XP Home are not technically domain + members, they do not really participate in the security aspects of Domain logons as such)</p></li><li><p>Roaming Profile Configuration</p></li><li><p>Configuration of System Policy handling</p></li><li><p>Installation of the Network driver "Client for MS Windows Networks" and configuration + to log onto the domain</p></li><li><p>Placing Windows 9x / Me clients in user level security - if it is desired to allow + all client share access to be controlled according to domain user / group identities.</p></li><li><p>Adding and managing domain user accounts</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Roaming Profiles and System/Network policies are advanced network administration topics +that are covered in the <a href="ProfileMgmt.html" title="Chapter 24. Desktop Profile Management">Profile Management</a> and +<a href="PolicyMgmt.html" title="Chapter 23. System and Account Policies">Policy Management</a> chapters of this document. However, these are not +necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts. +</p></div><p> +A Domain Controller is an SMB/CIFS server that: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Registers and advertises itself as a Domain Controller (through NetBIOS broadcasts + as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast, + to a WINS server over UDP unicast, or via DNS and Active Directory) + </p></li><li><p> + Provides the NETLOGON service (actually a collection of services that runs over + a number of protocols. These include the LanMan Logon service, the Netlogon service, + the Local Security Account service, and variations of them) + </p></li><li><p> + Provides a share called NETLOGON + </p></li></ul></div><p> +For Samba to provide these is rather easy to configure. Each Samba Domain Controller must provide +the NETLOGON service which Samba calls the <a class="indexterm" name="id2887666"></a><i class="parameter"><tt>domain logons</tt></i> functionality +(after the name of the parameter in the <tt class="filename">smb.conf</tt> file). Additionally, one (1) server in a Samba-3 +Domain must advertise itself as the domain master browser<sup>[<a name="id2887690" href="#ftn.id2887690">2</a>]</sup>. This causes the Primary Domain Controller +to claim domain specific NetBIOS name that identifies it as a domain master browser for its given +domain/workgroup. Local master browsers in the same domain/workgroup on broadcast-isolated subnets +then ask for a complete copy of the browse list for the whole wide area network. Browser clients +will then contact their local master browser, and will receive the domain-wide browse list, +instead of just the list for their broadcast-isolated subnet. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2887717"></a>Domain Control - Example Configuration</h2></div></div><div></div></div><p> +The first step in creating a working Samba PDC is to understand the parameters necessary +in <tt class="filename">smb.conf</tt>. An example <tt class="filename">smb.conf</tt> for acting as a PDC can be found in the example +<a href="samba-pdc.html#pdc-example" title="Example 5.1. smb.conf for being a PDC">for being a PDC</a>. +</p><p> +</p><div class="example"><a name="pdc-example"></a><p class="title"><b>Example 5.1. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>passdb backend = ldapsam, guest</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 33</tt></i></td></tr><tr><td><i class="parameter"><tt>preferred master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>local master = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>encrypt passwords = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%u</tt></i></td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td><i class="parameter"><tt>logon home = \\homeserver\%u\winprofile</tt></i></td></tr><tr><td><i class="parameter"><tt>logon script = logon.cmd</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = yes</tt></i></td></tr><tr><td><i class="parameter"><tt>write list = ntadmin</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>read only = no</tt></i></td></tr><tr><td><i class="parameter"><tt>create mask = 0600</tt></i></td></tr><tr><td><i class="parameter"><tt>directory mask = 0700</tt></i></td></tr></table></div><p> +</p><p> +The basic options shown above are explained as follows: +</p><div class="variablelist"><dl><dt><span class="term">passdb backend</span></dt><dd><p> + This contains all the user and group account information. Acceptable values for a PDC + are: <span class="emphasis"><em>smbpasswd, tdbsam, ldapsam</em></span>. The 'guest' entry provides needed + default accounts.</p><p> + Where is is intended to use backup domain controllers (BDCs) the only logical choice is + to use LDAP so that the passdb backend can be distributed. The tdbsam and smbpasswd files + can not effectively be distributed and therefore should not be used. + </p></dd><dt><span class="term">Domain Control Parameters</span></dt><dd><p> + The parameters <span class="emphasis"><em>os level, preferred master, domain master, security, + encrypt passwords, domain logons</em></span> play a central role in assuring domain + control and network logon support.</p><p> + The <span class="emphasis"><em>os level</em></span> must be set at or above a value of 32. A domain controller + must be the domain master browser, must be set in <span class="emphasis"><em>user</em></span> mode security, + must support Microsoft compatible encrypted passwords, and must provide the network logon + service (domain logons). Encrypted passwords must be enabled, for more details on how + to do this, refer to <a href="passdb.html" title="Chapter 11. Account Information Databases">the chapter on account information databases</a>. + </p></dd><dt><span class="term">Environment Parameters</span></dt><dd><p> + The parameters <span class="emphasis"><em>logon path, logon home, logon drive, logon script</em></span> are + environment support settings that help to facilitate client logon operations and that help + to provide automated control facilities to ease network management overheads. Please refer + to the man page information for these parameters. + </p></dd><dt><span class="term">NETLOGON Share</span></dt><dd><p> + The NETLOGON share plays a central role in domain logon and domain membership support. + This share is provided on all Microsoft domain controllers. It is used to provide logon + scripts, to store Group Policy files (NTConfig.POL), as well as to locate other common + tools that may be needed for logon processing. This is an essential share on a domain controller. + </p></dd><dt><span class="term">PROFILE Share</span></dt><dd><p> + This share is used to store user desktop profiles. Eash user must have a directory at the root + of this share. This directory must be write enabled for the user and must be globally read enabled. + Samba-3 has a VFS module called 'fake_permissions' that may be installed on this share. This will + allow a Samba administrator to make the directory read only to everyone. Of course this is useful + only after the profile has been properly created. + </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The above parameters make for a full set of parameters that may define the server's mode +of operation. The following <tt class="filename">smb.conf</tt> parameters are the essentials alone: +</p><p> +</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>netbios name = BELERIAND</tt></i></td></tr><tr><td><i class="parameter"><tt>workgroup = MIDEARTH</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>security = User</tt></i></td></tr></table><p> +</p><p> +The additional parameters shown in the longer listing above just makes for +more complete explanation. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888205"></a>Samba ADS Domain Control</h2></div></div><div></div></div><p> +Samba-3 is not, and can not act as, an Active Directory Server. It can not truly function as +an Active Directory Primary Domain Controller. The protocols for some of the functionality +the Active Directory Domain Controllers has been partially implemented on an experimental +only basis. Please do NOT expect Samba-3 to support these protocols. Do not depend +on any such functionality either now or in the future. The Samba-Team may remove these +experimental features or may change their behaviour. This is mentioned for the benefit of those +who have discovered secret capabilities in samba-3 and who have asked when this functionality will be +completed. The answer is: Maybe or maybe never! +</p><p> +To be sure: Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4 style +domain controllers have. Samba-3 does NOT have all the capabilities of Windows NT4, but it does have +a number of features that Windows NT4 domain contollers do not have. In short, Samba-3 is not NT4 and it +is not Windows Server 200x and it is not an Active Directory server. We hope this is plain and simple +enough for all to understand. +</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888257"></a>Domain and Network Logon Configuration</h2></div></div><div></div></div><p> +The subject of Network or Domain Logons is discussed here because it forms +an integral part of the essential functionality that is provided by a Domain Controller. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888272"></a>Domain Network Logon Service</h3></div></div><div></div></div><p> +All Domain Controllers must run the netlogon service (<span class="emphasis"><em>domain logons</em></span> +in Samba). One Domain Controller must be configured with <a class="indexterm" name="id2888289"></a><i class="parameter"><tt>domain master</tt></i> = Yes +(the Primary Domain Controller); on ALL Backup Domain Controllers <a class="indexterm" name="id2888305"></a><i class="parameter"><tt>domain master</tt></i> = No +must be set. +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888321"></a>Example Configuration</h4></div></div><div></div></div><div class="example"><a name="id2888328"></a><p class="title"><b>Example 5.2. smb.conf for being a PDC</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>domain master = (Yes on PDC, No on BDCs)</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><i class="parameter"><tt>comment = Network Logon Service</tt></i></td></tr><tr><td><i class="parameter"><tt>path = /var/lib/samba/netlogon</tt></i></td></tr><tr><td><i class="parameter"><tt>guest ok = Yes</tt></i></td></tr><tr><td><i class="parameter"><tt>browseable = No</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888412"></a>The Special Case of MS Windows XP Home Edition</h4></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +MS Windows XP Home Edition does not have the ability to join any type of Domain +security facility. Unlike, MS Windows 9x / Me, MS Windows XP Home Edition also completely +lacks the ability to log onto a network. +</p></div><p> +To be completely clear: If you want MS Windows XP Home Edition to integrate with your +MS Windows NT4 or Active Directory Domain security understand - IT CAN NOT BE DONE. +Your only choice is to buy the upgrade pack from MS Windows XP Home Edition to +MS Windows XP Professional. +</p><p> +Now that this has been said, please do NOT ask the mailing list, or email any of the +Samba-Team members with your questions asking how to make this work. It can't be done. +If it can be done, then to do so would violate your software license agreement with +Microsoft, and we recommend that you do not do that. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2888450"></a>The Special Case of Windows 9x / Me</h4></div></div><div></div></div><p> +A domain and a workgroup are exactly the same in terms of network +browsing. The difference is that a distributable authentication +database is associated with a domain, for secure login access to a +network. Also, different access rights can be granted to users if they +successfully authenticate against a domain logon server. Samba-3 does this +now in the same way that MS Windows NT/2K. +</p><p> +The SMB client logging on to a domain has an expectation that every other +server in the domain should accept the same authentication information. +Network browsing functionality of domains and workgroups is identical and +is explained in this documentation under the browsing discussions. +It should be noted, that browsing is totally orthogonal to logon support. +</p><p> +Issues related to the single-logon network model are discussed in this +section. Samba supports domain logons, network logon scripts, and user +profiles for MS Windows for workgroups and MS Windows 9X/ME clients +which are the focus of this section. +</p><p> +When an SMB client in a domain wishes to logon, it broadcasts requests for a +logon server. The first one to reply gets the job, and validates its +password using whatever mechanism the Samba administrator has installed. +It is possible (but ill advised ) to create a domain where the user +database is not shared between servers, i.e. they are effectively workgroup +servers advertising themselves as participating in a domain. This +demonstrates how authentication is quite different from but closely +involved with domains. +</p><p> +Using these features you can make your clients verify their logon via +the Samba server; make clients run a batch file when they logon to +the network and download their preferences, desktop and start menu. +</p><p><span class="emphasis"><em> +MS Windows XP Home edition is NOT able to join a domain and does not permit +the use of domain logons. +</em></span></p><p> +Before launching into the configuration instructions, it is +worthwhile to look at how a Windows 9x/ME client performs a logon: +</p><div class="orderedlist"><ol type="1"><li><p> + The client broadcasts (to the IP broadcast address of the subnet it is in) + a NetLogon request. This is sent to the NetBIOS name DOMAIN<#1c> at the + NetBIOS layer. The client chooses the first response it receives, which + contains the NetBIOS name of the logon server to use in the format of + <tt class="filename">\\SERVER</tt>. + </p></li><li><p> + The client then connects to that server, logs on (does an SMBsessetupX) and + then connects to the IPC$ share (using an SMBtconX). + </p></li><li><p> + The client then does a NetWkstaUserLogon request, which retrieves the name + of the user's logon script. + </p></li><li><p> + The client then connects to the NetLogon share and searches for said script + and if it is found and can be read, is retrieved and executed by the client. + After this, the client disconnects from the NetLogon share. + </p></li><li><p> + The client then sends a NetUserGetInfo request to the server, to retrieve + the user's home share, which is used to search for profiles. Since the + response to the NetUserGetInfo request does not contain much more than + the user's home share, profiles for Win9X clients MUST reside in the user + home directory. + </p></li><li><p> + The client then connects to the user's home share and searches for the + user's profile. As it turns out, you can specify the user's home share as + a sharename and path. For example, <tt class="filename">\\server\fred\.winprofile</tt>. + If the profiles are found, they are implemented. + </p></li><li><p> + The client then disconnects from the user's home share, and reconnects to + the NetLogon share and looks for <tt class="filename">CONFIG.POL</tt>, the policies file. If this is + found, it is read and implemented. + </p></li></ol></div><p> +The main difference between a PDC and a Windows 9x logon server configuration is that +</p><div class="itemizedlist"><ul type="disc"><li><p> + Password encryption is not required for a Windows 9x logon server. But note + that beginning with MS Windows 98 the default setting is that plain-text + password support is disabled. It can be re-enabled with the registry + changes that are documented in the chapter on Policies. + </p></li><li><p> + Windows 9x/ME clients do not require and do not use machine trust accounts. + </p></li></ul></div><p> +A Samba PDC will act as a Windows 9x logon server; after all, it does provide the +network logon services that MS Windows 9x / Me expect to find. +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +Use of plain-text passwords is strongly discouraged. Where used they are easily detected +using a sniffer tool to examine network traffic. +</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888704"></a>Security Mode and Master Browsers</h3></div></div><div></div></div><p> +There are a few comments to make in order to tie up some +loose ends. There has been much debate over the issue of whether +or not it is ok to configure Samba as a Domain Controller in security +modes other than <tt class="constant">USER</tt>. The only security mode +which will not work due to technical reasons is <tt class="constant">SHARE</tt> +mode security. <tt class="constant">DOMAIN</tt> and <tt class="constant">SERVER</tt> +mode security are really just a variation on SMB user level security. +</p><p> +Actually, this issue is also closely tied to the debate on whether +or not Samba must be the domain master browser for its workgroup +when operating as a DC. While it may technically be possible +to configure a server as such (after all, browsing and domain logons +are two distinctly different functions), it is not a good idea to do +so. You should remember that the DC must register the DOMAIN<#1b> NetBIOS +name. This is the name used by Windows clients to locate the DC. +Windows clients do not distinguish between the DC and the DMB. +A DMB is a Domain Master Browser - see <a href="NetworkBrowsing.html#DMB" title="Setting up WORKGROUP Browsing">Domain Master Browser</a>. +For this reason, it is very wise to configure the Samba DC as the DMB. +</p><p> +Now back to the issue of configuring a Samba DC to use a mode other +than <a class="indexterm" name="id2888773"></a><i class="parameter"><tt>security</tt></i> = user. If a Samba host is configured to use +another SMB server or DC in order to validate user connection +requests, then it is a fact that some other machine on the network +(the <a class="indexterm" name="id2888790"></a><i class="parameter"><tt>password server</tt></i>) knows more about the user than the Samba host. +99% of the time, this other host is a domain controller. Now +in order to operate in domain mode security, the <a class="indexterm" name="id2888808"></a><i class="parameter"><tt>workgroup</tt></i> parameter +must be set to the name of the Windows NT domain (which already +has a domain controller). If the domain does NOT already have a Domain Controller +then you do not yet have a Domain! +</p><p> +Configuring a Samba box as a DC for a domain that already by definition has a +PDC is asking for trouble. Therefore, you should always configure the Samba DC +to be the DMB for its domain and set <a class="indexterm" name="id2888832"></a><i class="parameter"><tt>security</tt></i> = user. +This is the only officially supported mode of operation. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2888850"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888857"></a>'$' cannot be included in machine name</h3></div></div><div></div></div><p> +A 'machine account', (typically) stored in <tt class="filename">/etc/passwd</tt>, +takes the form of the machine name with a '$' appended. FreeBSD (and other BSD +systems?) won't create a user with a '$' in their name. +</p><p> +The problem is only in the program used to make the entry. Once made, it works perfectly. +Create a user without the '$'. Then use <b class="command">vipw</b> to edit the entry, adding +the '$'. Or create the whole entry with vipw if you like; make sure you use a unique User ID! +</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> +The UNIX tool <b class="command">vipw</b> is a common tool for directly editting the <tt class="filename">/etc/passwd</tt> file. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888916"></a>Joining domain fails because of existing machine account</h3></div></div><div></div></div><p>“<span class="quote">I get told "You already have a connection to the Domain...." +or "Cannot join domain, the credentials supplied conflict with an +existing set.." when creating a machine trust account.</span>”</p><p> +This happens if you try to create a machine trust account from the +machine itself and already have a connection (e.g. mapped drive) +to a share (or IPC$) on the Samba PDC. The following command +will remove all network drive connections: +</p><pre class="screen"> +<tt class="prompt">C:\> </tt><b class="userinput"><tt>net use * /d</tt></b> +</pre><p> +Further, if the machine is already a 'member of a workgroup' that +is the same name as the domain you are joining (bad idea) you will +get this message. Change the workgroup name to something else, it +does not matter what, reboot, and try again. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2888975"></a>The system can not log you on (C000019B)....</h3></div></div><div></div></div><p>“<span class="quote">I joined the domain successfully but after upgrading +to a newer version of the Samba code I get the message, <span class="errorname">The system +can not log you on (C000019B), Please try again or consult your +system administrator</span> when attempting to logon.</span>” +</p><p> +This occurs when the domain SID stored in the secrets.tdb database +is changed. The most common cause of a change in domain SID is when +the domain name and/or the server name (NetBIOS name) is changed. +The only way to correct the problem is to restore the original domain +SID or remove the domain client from the domain and rejoin. The domain +SID may be reset using either the net or rpcclient utilities. +</p><p> +The reset or change the domain SID you can use the net command as follows: + +</p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>net getlocalsid 'OLDNAME'</tt></b> +<tt class="prompt">root# </tt><b class="userinput"><tt>net setlocalsid 'SID'</tt></b> +</pre><p> +</p><p> +Workstation machine trust accounts work only with the Domain (or network) SID. If this SID changes +then domain members (workstations) will not be able to log onto the domain. The original Domain SID +can be recovered from the secrets.tdb file. The alternative is to visit each workstation to re-join +it to the domain. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889059"></a>The machine trust account not accessible</h3></div></div><div></div></div><p> + “<span class="quote">When I try to join the domain I get the message <span class="errorname">The machine account +for this computer either does not exist or is not accessible</span>. What's +wrong?</span>” +</p><p> +This problem is caused by the PDC not having a suitable machine trust account. +If you are using the <a class="indexterm" name="id2889085"></a><i class="parameter"><tt>add machine script</tt></i> method to create +accounts then this would indicate that it has not worked. Ensure the domain +admin user system is working. +</p><p> +Alternatively if you are creating account entries manually then they +have not been created correctly. Make sure that you have the entry +correct for the machine trust account in <tt class="filename">smbpasswd</tt> file on the Samba PDC. +If you added the account using an editor rather than using the smbpasswd +utility, make sure that the account name is the machine NetBIOS name +with a '$' appended to it ( i.e. computer_name$ ). There must be an entry +in both /etc/passwd and the smbpasswd file. +</p><p> +Some people have also reported +that inconsistent subnet masks between the Samba server and the NT +client can cause this problem. Make sure that these are consistent +for both client and server. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889131"></a>Account disabled</h3></div></div><div></div></div><p>“<span class="quote">When I attempt to login to a Samba Domain from a NT4/W2K workstation, + I get a message about my account being disabled.</span>”</p><p> +Enable the user accounts with <b class="userinput"><tt>smbpasswd -e <i class="replaceable"><tt>username</tt></i> +</tt></b>, this is normally done as an account is created. +</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889164"></a>Domain Controller Unavailable</h3></div></div><div></div></div><p>“<span class="quote">Until a few minutes after Samba has started, clients get the error "Domain Controller Unavailable"</span>”</p><p> + A domain controller has to announce on the network who it is. This usually takes a while. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2889186"></a>Can not log onto domain member workstation after joining domain</h3></div></div><div></div></div><p>After successfully joining the domain user logons fail with one of two messages:</p><p>One to the effect that the domain controller can not be found, the other claiming that the + account does not exist in the domain or that the password is incorrect.</p><p>This may be due to incompatible settings between + the Windows client and the Samba-3 server for <span class="emphasis"><em>schannel</em></span> (secure channel) settings + or <span class="emphasis"><em>smb signing</em></span> settings. Check your samba settings for <span class="emphasis"><em> + client schannel, server schannel, client signing, server signing</em></span> by executing: + <b class="command">testparm -v | more</b> and looking for the value of these parameters. + </p><p> + Also use the Microsoft Management Console - Local Security Settings. This tool is available from the + Control Panel. The Policy settings are found in the Local Policies / Securty Options area and are prefixed by + <span class="emphasis"><em>Secure Channel: ..., and Digitally sign ...</em></span>. + </p><p> + It is important that these be set consistently with the Samba-3 server settings. + </p></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2887167" href="#id2887167">1</a>] </sup>See also <a href="passdb.html" title="Chapter 11. Account Information Databases">the chapter on Account Information Databases</a>.</p></div><div class="footnote"><p><sup>[<a name="ftn.id2887690" href="#id2887690">2</a>] </sup>See also <a href="NetworkBrowsing.html" title="Chapter 10. Samba / MS Windows Network Browsing Guide">the chapter about network browsing</a></p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ServerType.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="type.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="samba-bdc.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. Server Types and Security Modes </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. Backup Domain Control</td></tr></table></div></body></html> |