From 75b6f55e64f724018df0aa5333fa9747d57b7db6 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 16 May 2005 23:04:09 +0000 Subject: Another progress update. (This used to be commit da8ea8bf87452f9541981b7315c1cd5af7dd22aa) --- .../TOSHARG-TheNetCommand.xml | 64 +++++++++++++++++++++- 1 file changed, 62 insertions(+), 2 deletions(-) diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml index b4fab1c978..a5e4a89826 100644 --- a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml +++ b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml @@ -661,6 +661,7 @@ Successfully granted rights. Next, the domain user jht is given the privileges needed for day to day administration: + &rootprompt; net rpc rights grant "MIDEARTH\jht" \ SeMachineAccountPrivilege SePrintOperatorPrivilege \ SeAddUsersPrivilege SeDiskOperatorPrivilege \ @@ -712,16 +713,74 @@ SeDiskOperatorPrivilege Managing Trust Relationships - Document how to set up trusts here!!!!!!!!!!! + There are essentially two types of trust relationships. The first between domain controllers and domain + member machines (network clients), the second trusts between domains (called inter-domain trusts). All + Samba servers that pasticipate in domain security require a domain membership trust account, as do like + Windows NT/2KX/XPP workstations. Machine Trust Accounts + A Samba server domain trust account can be validated as shown in this example: &rootprompt; net rpc testjoin Join to 'MIDEARTH' is OK + + Where there is no domain membership account, or when the account credentials are not valid the following + results will be observed: + +net rpc testjoin -S DOLPHIN +Join to domain 'WORLDOCEAN' is not valid + + + + + The equivalent command for joining a Samba server to a Windows ADS domain is shown here: + +&rootprompt; net ads testjoin +Using short domain name -- TAKEAWAY +Joined 'LEMONADE' to realm 'TAKEAWAY.BIZ' + + In the event that the ADS trust was not established, or is broken for one reason or another, the following + error message may be obtained: + +&rootprompt; net ads testjoin -UAdministrator%secret +Join to domain is not valid + + + + + The following demonstrates the process of creating a machine trust account in the target domain for the + Samba server from which the command is executed: + +&rootprompt; net rpc join -S FRODO -Uroot%not24get +Joined domain MIDEARTH. + + The joining of a Samba server to a Samba domain results in the creation of a machine account. An example + of this is shown here: + +&rootprompt; pdbedit -Lw merlin\$ +merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\ +176D8C554E99914BDF3407DEA2231D80:[S ]:LCT-42891919: + + The equivalent command to join a Samba server to a Windows ADS domain is shown here: + +&rootprompt; net ads join -UAdministrator%not24get +Using short domain name -- GDANSK +Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ' + + + + + There is no specific option to remove a machine account from a domain. When a domain member that is a + Windows machine is withdrawn from the domain the domain membership account is not automatically removed + either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the + machine account can be removed using the following net command: + +&rootprompt; net rpc user delete HERRING\$ -Uroot%not24get +Deleted user account. @@ -731,7 +790,8 @@ Join to 'MIDEARTH' is OK Inter-Domain Trusts - Document how to set up trusts here!!!!!!!!!!! + Inter-domain trust relationships form the primary mechanism by which users from one domain can be granted + access rights and privileges in another domain. -- cgit