From 1454c1c99ab87e216dea1871b53c51ce7e548ba5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 1 Feb 2003 05:16:00 +0000 Subject: More doco updates, in particular the fact that you must configure the smb.conf *before* you join, otherwise we don't have all the info that 'net join' needs. Also move from smbpasswd -j to 'net join' in the examples. Andrew Bartlett (This used to be commit 9494c1e153a2a515841fb57506b7b9bff3eee7a6) --- docs/docbook/manpages/winbindd.8.sgml | 6 +- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 133 ++++++++++++-------------------- 2 files changed, 51 insertions(+), 88 deletions(-) diff --git a/docs/docbook/manpages/winbindd.8.sgml b/docs/docbook/manpages/winbindd.8.sgml index 68f41afead..a44e195d8c 100644 --- a/docs/docbook/manpages/winbindd.8.sgml +++ b/docs/docbook/manpages/winbindd.8.sgml @@ -271,13 +271,11 @@ auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok The next step is to join the domain. To do that use the smbpasswd program like this: - smbpasswd -j DOMAIN -r PDC -U - Administrator + net join -S PDC -U Administrator The username after the -U can be any Domain user that has administrator privileges on the machine. - Substitute your domain name for "DOMAIN" and the name of your PDC - for "PDC". + Substitute the name or IP of your PDC for "PDC". Next copy libnss_winbind.so to /lib and pam_winbind.so diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 8a30a5527d..b178bfd2c2 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -25,79 +25,29 @@ -Samba as a NT4 domain member +Samba as a NT4 or Win2k domain member - Joining an NT Domain with Samba 2.2 + Joining an NT Domain with Samba 3.0 - Assume you have a Samba 2.x server with a NetBIOS name of - SERV1 and are joining an NT domain called + Assume you have a Samba 3.0 server with a NetBIOS name of + SERV1 and are joining an or Win2k NT domain called DOM, which has a PDC with a NetBIOS name of DOMPDC and two backup domain controllers with NetBIOS names DOMBDC1 and DOMBDC2 . - In order to join the domain, first stop all Samba daemons - and run the command: - - root# smbpasswd -j DOM -r DOMPDC - -UAdministrator%password - - as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%password is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message: - - smbpasswd: Joined domain DOM. - - - in your terminal window. See the - smbpasswd(8) man page for more details. - - There is existing development code to join a domain - without having to create the machine trust account on the PDC - beforehand. This code will hopefully be available soon - in release branches as well. - - This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally : - - /usr/local/samba/private - - In Samba 2.0.x, the filename looks like this: - - <NT DOMAIN NAME>.<Samba - Server Name>.mac - - The .mac suffix stands for machine account - password file. So in our example above, the file would be called: - - DOM.SERV1.mac - - In Samba 2.2, this file has been replaced with a TDB - (Trivial Database) file named secrets.tdb. - - - - This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file. - - Now, before restarting the Samba daemons you must - edit your smb.conf(5) + Firstly, you must edit your smb.conf(5) file to tell Samba it should now use domain security. Change (or add) your security = line in the [global] section of your smb.conf to read: - security = domain + security = domain or + security = ads depending on if the PDC is + NT4 or running Active Directory respectivly. Next change the workgroup = line in the [global] section to read: @@ -128,11 +78,47 @@ password server = * - This method, which was introduced in Samba 2.0.6, - allows Samba to use exactly the same mechanism that NT does. This + This method, allows Samba to use exactly the same + mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against. + In order to actually join the domain, you must run this + command: + + root# net join -S DOMPDC + -UAdministrator%password + + as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The Administrator%password is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message: + + Joined domain DOM. + or Joined 'SERV1' to realm 'MYREALM' + + + in your terminal window. See the + net(8) man page for more details. + + This process joins the server to thedomain + without having to create the machine trust account on the PDC + beforehand. + + This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally : + + /usr/local/samba/private/secrets.tdb + + This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file. + Finally, restart your Samba daemons and get ready for clients to begin using domain security! @@ -144,23 +130,8 @@ Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode. - - - -There is much confusion between the circumstances that require a "mixed" mode -Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode -Win2k domain controller is only needed if Windows NT BDCs must exist in the same -domain. By default, a Win2k DC in "native" mode will still support -NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and -NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server. - - - -The steps for adding a Samba 2.2 host to a Win2k domain are the same as those -for adding a Samba server to a Windows NT 4.0 domain. The only exception is that -the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and -Computers" MMC (Microsoft Management Console) plugin. +2000 domain operating in mixed or native mode. The steps above apply +to both NT4 and Windows 2000. @@ -205,13 +176,7 @@ Computers" MMC (Microsoft Management Console) plugin. And finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. All - this information will allow Samba to be extended in the future into - a mode the developers currently call appliance mode. In this mode, - no local Unix users will be necessary, and Samba will generate Unix - uids and gids from the information passed back from the PDC when a - user is authenticated, making a Samba server truly plug and play - in an NT domain environment. Watch for this code soon. + as the user SID, the list of NT groups the user belongs to, etc. NOTE: Much of the text of this document was first published in the Web magazine -- cgit