diff options
Diffstat (limited to 'docs/htmldocs/samba-pdc.html')
-rw-r--r-- | docs/htmldocs/samba-pdc.html | 253 |
1 files changed, 120 insertions, 133 deletions
diff --git a/docs/htmldocs/samba-pdc.html b/docs/htmldocs/samba-pdc.html index 7c4caf4f30..93bbc727d4 100644 --- a/docs/htmldocs/samba-pdc.html +++ b/docs/htmldocs/samba-pdc.html @@ -2,10 +2,11 @@ <HTML ><HEAD ><TITLE ->Samba as a NT4 or Win2k Primary Domain Controller</TITLE +>How to Configure Samba as a NT4 Primary Domain Controller</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ +"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -72,17 +73,13 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="SAMBA-PDC" -></A ->Chapter 5. Samba as a NT4 or Win2k Primary Domain Controller</H1 +NAME="SAMBA-PDC">Chapter 6. How to Configure Samba as a NT4 Primary Domain Controller</H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN625" ->5.1. Prerequisite Reading</A -></H1 +NAME="AEN575">6.1. Prerequisite Reading</H1 ><P >Before you continue reading in this chapter, please make sure that you are comfortable with configuring basic files services @@ -108,9 +105,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN631" ->5.2. Background</A -></H1 +NAME="AEN581">6.2. Background</H1 ><DIV CLASS="NOTE" ><P @@ -125,7 +120,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD @@ -260,9 +255,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN670" ->5.3. Configuring the Samba Domain Controller</A -></H1 +NAME="AEN620">6.3. Configuring the Samba Domain Controller</H1 ><P >The first step in creating a working Samba PDC is to understand the parameters necessary in smb.conf. I will not @@ -288,17 +281,21 @@ CLASS="PROGRAMLISTING" HREF="smb.conf.5.html#NETBIOSNAME" TARGET="_top" >netbios name</A -> = <VAR +> = <TT CLASS="REPLACEABLE" ->POGO</VAR +><I +>POGO</I +></TT > <A HREF="smb.conf.5.html#WORKGROUP" TARGET="_top" >workgroup</A -> = <VAR +> = <TT CLASS="REPLACEABLE" ->NARNIA</VAR +><I +>NARNIA</I +></TT > ; we should act as the domain and local master browser @@ -388,9 +385,11 @@ TARGET="_top" HREF="smb.conf.5.html#WRITELIST" TARGET="_top" >write list</A -> = <VAR +> = <TT CLASS="REPLACEABLE" ->ntadmin</VAR +><I +>ntadmin</I +></TT > ; share for storing user profiles @@ -466,10 +465,8 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN713" ->5.4. Creating Machine Trust Accounts and Joining Clients to the -Domain</A -></H1 +NAME="AEN663">6.4. Creating Machine Trust Accounts and Joining Clients to the +Domain</H1 ><P >A machine trust account is a Samba account that is used to authenticate a client machine (rather than a user) to the Samba @@ -540,9 +537,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN732" ->5.4.1. Manual Creation of Machine Trust Accounts</A -></H2 +NAME="AEN682">6.4.1. Manual Creation of Machine Trust Accounts</H2 ><P >The first step in manually creating a machine trust account is to manually create the corresponding Unix account in @@ -557,45 +552,55 @@ CLASS="COMMAND" used to create new Unix accounts. The following is an example for a Linux based Samba server:</P ><P -> <SAMP +> <TT CLASS="PROMPT" ->root# </SAMP +>root# </TT ><B CLASS="COMMAND" ->/usr/sbin/useradd -g 100 -d /dev/null -c <VAR +>/usr/sbin/useradd -g 100 -d /dev/null -c <TT CLASS="REPLACEABLE" +><I >"machine -nickname"</VAR -> -s /bin/false <VAR +nickname"</I +></TT +> -s /bin/false <TT CLASS="REPLACEABLE" ->machine_name</VAR +><I +>machine_name</I +></TT >$ </B ></P ><P -><SAMP +><TT CLASS="PROMPT" ->root# </SAMP +>root# </TT ><B CLASS="COMMAND" ->passwd -l <VAR +>passwd -l <TT CLASS="REPLACEABLE" ->machine_name</VAR +><I +>machine_name</I +></TT >$</B ></P ><P >On *BSD systems, this can be done using the 'chpass' utility:</P ><P -><SAMP +><TT CLASS="PROMPT" ->root# </SAMP +>root# </TT ><B CLASS="COMMAND" ->chpass -a "<VAR +>chpass -a "<TT CLASS="REPLACEABLE" ->machine_name</VAR ->$:*:101:100::0:0:Workstation <VAR +><I +>machine_name</I +></TT +>$:*:101:100::0:0:Workstation <TT CLASS="REPLACEABLE" ->machine_name</VAR +><I +>machine_name</I +></TT >:/dev/null:/sbin/nologin"</B ></P ><P @@ -612,20 +617,26 @@ CLASS="FILENAME" ><P ><PRE CLASS="PROGRAMLISTING" ->doppy$:x:505:501:<VAR +>doppy$:x:505:501:<TT CLASS="REPLACEABLE" ->machine_nickname</VAR +><I +>machine_nickname</I +></TT >:/dev/null:/bin/false</PRE ></P ><P ->Above, <VAR +>Above, <TT CLASS="REPLACEABLE" ->machine_nickname</VAR +><I +>machine_nickname</I +></TT > can be any descriptive name for the client, i.e., BasementComputer. -<VAR +<TT CLASS="REPLACEABLE" ->machine_name</VAR +><I +>machine_name</I +></TT > absolutely must be the NetBIOS name of the client to be joined to the domain. The "$" must be appended to the NetBIOS name of the client or Samba will not recognize @@ -643,20 +654,24 @@ CLASS="COMMAND" > command as shown here:</P ><P -><SAMP +><TT CLASS="PROMPT" ->root# </SAMP +>root# </TT ><B CLASS="COMMAND" ->smbpasswd -a -m <VAR +>smbpasswd -a -m <TT CLASS="REPLACEABLE" ->machine_name</VAR +><I +>machine_name</I +></TT ></B ></P ><P ->where <VAR +>where <TT CLASS="REPLACEABLE" ->machine_name</VAR +><I +>machine_name</I +></TT > is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding Unix account.</P @@ -674,7 +689,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +SRC="../images/warning.gif" HSPACE="5" ALT="Warning"></TD ><TH @@ -710,9 +725,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN773" ->5.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A -></H2 +NAME="AEN723">6.4.2. "On-the-Fly" Creation of Machine Trust Accounts</H2 ><P >The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client @@ -747,9 +760,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN782" ->5.4.3. Joining the Client to the Domain</A -></H2 +NAME="AEN732">6.4.3. Joining the Client to the Domain</H2 ><P >The procedure for joining a client to the domain varies with the version of Windows.</P @@ -815,9 +826,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN797" ->5.5. Common Problems and Errors</A -></H1 +NAME="AEN747">6.5. Common Problems and Errors</H1 ><P ></P ><P @@ -871,9 +880,9 @@ CLASS="EMPHASIS" will remove all network drive connections: </P ><P -> <SAMP +> <TT CLASS="PROMPT" ->C:\WINNT\></SAMP +>C:\WINNT\></TT > <B CLASS="COMMAND" >net use * /d</B @@ -936,9 +945,11 @@ CLASS="EMPHASIS" </P ><P > This problem is caused by the PDC not having a suitable machine trust account. - If you are using the <VAR + If you are using the <TT CLASS="PARAMETER" ->add user script</VAR +><I +>add user script</I +></TT > method to create accounts then this would indicate that it has not worked. Ensure the domain admin user system is working. @@ -982,9 +993,11 @@ CLASS="COMMAND" </P ><P > In order to work around this problem in 2.2.0, configure the - <VAR + <TT CLASS="PARAMETER" ->account</VAR +><I +>account</I +></TT > control flag in <TT CLASS="FILENAME" @@ -1021,9 +1034,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN845" ->5.6. System Policies and Profiles</A -></H1 +NAME="AEN795">6.6. System Policies and Profiles</H1 ><P >Much of the information necessary to implement System Policies and Roving User Profiles in a Samba domain is the same as that for @@ -1198,9 +1209,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN889" ->5.7. What other help can I get?</A -></H1 +NAME="AEN839">6.7. What other help can I get?</H1 ><P >There are many sources of information available in the form of mailing lists, RFC's and documentation. The docs that come @@ -1618,9 +1627,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1003" ->5.8. Domain Control for Windows 9x/ME</A -></H1 +NAME="AEN953">6.8. Domain Control for Windows 9x/ME</H1 ><DIV CLASS="NOTE" ><P @@ -1635,7 +1642,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD @@ -1752,9 +1759,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1029" ->5.8.1. Configuration Instructions: Network Logons</A -></H2 +NAME="AEN979">6.8.1. Configuration Instructions: Network Logons</H2 ><P >The main difference between a PDC and a Windows 9x logon server configuration is that</P @@ -1787,7 +1792,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +SRC="../images/warning.gif" HSPACE="5" ALT="Warning"></TD ><TH @@ -1807,20 +1812,20 @@ VALIGN="TOP" >There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether or not it is ok to configure Samba as a Domain Controller in security -modes other than <CODE +modes other than <TT CLASS="CONSTANT" ->USER</CODE +>USER</TT >. The only security mode -which will not work due to technical reasons is <CODE +which will not work due to technical reasons is <TT CLASS="CONSTANT" ->SHARE</CODE +>SHARE</TT > -mode security. <CODE +mode security. <TT CLASS="CONSTANT" ->DOMAIN</CODE -> and <CODE +>DOMAIN</TT +> and <TT CLASS="CONSTANT" ->SERVER</CODE +>SERVER</TT > mode security is really just a variation on SMB user level security.</P ><P @@ -1858,9 +1863,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN1048" ->5.8.2. Configuration Instructions: Setting up Roaming User Profiles</A -></H2 +NAME="AEN998">6.8.2. Configuration Instructions: Setting up Roaming User Profiles</H2 ><DIV CLASS="WARNING" ><P @@ -1875,7 +1878,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +SRC="../images/warning.gif" HSPACE="5" ALT="Warning"></TD ><TD @@ -1911,9 +1914,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN1056" ->5.8.2.1. Windows NT Configuration</A -></H3 +NAME="AEN1006">6.8.2.1. Windows NT Configuration</H3 ><P >To support WinNT clients, in the [global] section of smb.conf set the following (for example):</P @@ -1942,7 +1943,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD @@ -1962,9 +1963,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN1064" ->5.8.2.2. Windows 9X Configuration</A -></H3 +NAME="AEN1014">6.8.2.2. Windows 9X Configuration</H3 ><P >To support Win9X clients, you must use the "logon home" parameter. Samba has now been fixed so that "net use/home" now works as well, and it, too, relies @@ -1993,9 +1992,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN1072" ->5.8.2.3. Win9X and WinNT Configuration</A -></H3 +NAME="AEN1022">6.8.2.3. Win9X and WinNT Configuration</H3 ><P >You can support profiles for both Win9X and WinNT clients by setting both the "logon home" and "logon path" parameters. For example:</P @@ -2019,7 +2016,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD @@ -2038,9 +2035,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN1079" ->5.8.2.4. Windows 9X Profile Setup</A -></H3 +NAME="AEN1029">6.8.2.4. Windows 9X Profile Setup</H3 ><P >When a user first logs in on Windows 9X, the file user.DAT is created, as are folders "Start Menu", "Desktop", "Programs" and "Nethood". @@ -2198,9 +2193,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN1115" ->5.8.2.5. Windows NT Workstation 4.0</A -></H3 +NAME="AEN1065">6.8.2.5. Windows NT Workstation 4.0</H3 ><P >When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile location can be now specified @@ -2219,7 +2212,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD @@ -2277,7 +2270,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD @@ -2312,9 +2305,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN1128" ->5.8.2.6. Windows NT Server</A -></H3 +NAME="AEN1078">6.8.2.6. Windows NT Server</H3 ><P >There is nothing to stop you specifying any path that you like for the location of users' profiles. Therefore, you could specify that the @@ -2326,9 +2317,7 @@ CLASS="SECT3" ><H3 CLASS="SECT3" ><A -NAME="AEN1131" ->5.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</A -></H3 +NAME="AEN1081">6.8.2.7. Sharing Profiles between W95 and NT Workstation 4.0</H3 ><DIV CLASS="WARNING" ><P @@ -2343,7 +2332,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +SRC="../images/warning.gif" HSPACE="5" ALT="Warning"></TD ><TH @@ -2395,7 +2384,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif" +SRC="../images/note.gif" HSPACE="5" ALT="Note"></TD ><TD @@ -2419,9 +2408,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1141" ->5.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</A -></H1 +NAME="AEN1091">6.9. DOMAIN_CONTROL.txt : Windows NT Domain Control & Samba</H1 ><DIV CLASS="WARNING" ><P @@ -2436,7 +2423,7 @@ WIDTH="25" ALIGN="CENTER" VALIGN="TOP" ><IMG -SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif" +SRC="../images/warning.gif" HSPACE="5" ALT="Warning"></TD ><TH @@ -2496,16 +2483,16 @@ may need to know to interact with the rest of the system.</P >The registry files can be located on any Windows NT machine by opening a command prompt and typing:</P ><P -><SAMP +><TT CLASS="PROMPT" ->C:\WINNT\></SAMP +>C:\WINNT\></TT > dir %SystemRoot%\System32\config</P ><P >The environment variable %SystemRoot% value can be obtained by typing:</P ><P -><SAMP +><TT CLASS="PROMPT" ->C:\WINNT></SAMP +>C:\WINNT></TT >echo %SystemRoot%</P ><P >The active parts of the registry that you may want to be familiar with are |