From 3be323c6110f1a241f86aacb94c8ff1ba69351c5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 23 Sep 2012 04:52:56 +1000 Subject: docs: Remove references to default paramters in TOSHARG-PDC --- docs-xml/Samba3-HOWTO/TOSHARG-PDC.xml | 182 ++++++++++------------------------ 1 file changed, 53 insertions(+), 129 deletions(-) (limited to 'docs-xml/Samba3-HOWTO') diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-PDC.xml b/docs-xml/Samba3-HOWTO/TOSHARG-PDC.xml index a2461b72e9..559e2e4d8b 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-PDC.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-PDC.xml @@ -144,15 +144,17 @@ account). Refer to Domain Membership for mo -The following functionalities are new to the Samba-3 release: +The following functionalities are an overview of some of the features +in the Samba-4 release: accountbackend - Samba-3 supports the use of a choice of backends that may be used in which user, group and machine - accounts may be stored. Multiple passwd backends can be used in combination, either as additive backend - data sets, or as fail-over data sets. + Samba-4 supports the use of a choice of backends that may be used in which user, group and machine + accounts may be stored, but only when acting as a classic + (NT4) domain controller, + but not when it is acting as an Active Directory Domain Controller. @@ -162,16 +164,20 @@ The following functionalities are new to the Samba-3 release: scalability reliability An LDAP passdb backend confers the benefit that the account backend can be distributed and replicated, - which is of great value because it confers scalability and provides a high degree of reliability. + which is of great value because it confers scalability and + provides a high degree of reliability. This may be used when + Samba-4 is acting as an classic (NT4-like) domain controller, + but not when it is acting as an Active Directory Domain Controller. interdomaintrustaccount trust accountinterdomain interoperability - Windows NT4 domain trusts. Samba-3 supports workstation and server (machine) trust accounts. It also + Windows NT4 domain trusts. Samba-4 supports workstation and server (machine) trust accounts. It also supports Windows NT4 style interdomain trust accounts, which further assists in network scalability - and interoperability. + and interoperability, but only when itself is an classic + (NT4-like) domain controller. @@ -182,7 +188,8 @@ The following functionalities are new to the Samba-3 release: domaincontroller networkbrowsing Operation without NetBIOS over TCP/IP, rather using the raw SMB over TCP/IP. Note, this is feasible - only when operating as a Microsoft active directory domain member server. When acting as a Samba domain + only when operating as a Microsoft active directory domain + member server. When acting as a Samba classic (NT4-like) domain controller the use of NetBIOS is necessary to provide network browsing support. @@ -190,26 +197,34 @@ The following functionalities are new to the Samba-3 release: WINS TCP port session services - Samba-3 provides NetBIOS name services (WINS), NetBIOS over TCP/IP (TCP port 139) session services, SMB over + Samba-4 provides NetBIOS name services (WINS), NetBIOS over TCP/IP (TCP port 139) session services, SMB over TCP/IP (TCP port 445) session services, and Microsoft compatible ONC DCE RPC services (TCP port 135) services. + - Nexus.exe - Management of users and groups via the User Manager for Domains. This can be done on any MS Windows client - using the Nexus.exe toolkit for Windows 9x/Me, or using the SRVTOOLS.EXE package for MS - Windows NT4/200x/XP platforms. These packages are available from Microsoft's Web site. + kerberos + active directory + Acting as a Windows 2000 active directory domain controller + (i.e., Kerberos and Active Directory). - Implements full Unicode support. This simplifies cross-locale internationalization support. It also opens up - the use of protocols that Samba-2.2.x had but could not use due to the need to fully support Unicode. + MMC + SVRTOOLS.EXE + Microsoft management consoleMMC + The Windows 200x/XP Microsoft Management Console (MMC) can be + used to manage a Samba-4 server, when it is an Active + Directory Domain Controller. When acting as a classic (NT4) + domain controller, you + can use only the MS Windows NT4 Domain Server Manager and the MS Windows NT4 Domain User Manager. Both are + part of the SVRTOOLS.EXE package mentioned later. -The following functionalities are not provided by Samba-3: +The following functionalities are not provided by Samba-4: @@ -217,39 +232,12 @@ The following functionalities are not provided by Samba-3: SAM replication SAM replication with Windows NT4 domain controllers (i.e., a Samba PDC and a Windows NT BDC, or vice versa). - This means Samba cannot operate as a BDC when the PDC is Microsoft-based Windows NT PDC. Samba-3 can not + This means Samba cannot operate as a BDC when the PDC is Microsoft-based Windows NT PDC. Samba-4 can not participate in replication of account data to Windows PDCs and BDCs. - - kerberos - active directory - Acting as a Windows 2000 active directory domain controller (i.e., Kerberos and Active Directory). In point of - fact, Samba-3 does have some Active Directory domain control ability that is at this time purely experimental. - Active directory domain control is one of the features that is being developed in Samba-4, the next - generation Samba release. At this time there are no plans to enable active directory domain control - support during the Samba-3 series life-cycle. - - - - MMC - SVRTOOLS.EXE - Microsoft management consoleMMC - The Windows 200x/XP Microsoft Management Console (MMC) cannot be used to manage a Samba-3 server. For this you - can use only the MS Windows NT4 Domain Server Manager and the MS Windows NT4 Domain User Manager. Both are - part of the SVRTOOLS.EXE package mentioned later. - - -Windows XP Home edition -LanMan -Windows 9x/Me/XP Home clients are not true members of a domain for reasons outlined in this chapter. The -protocol for support of Windows 9x/Me-style network (domain) logons is completely different from NT4/Windows -200x-type domain logons and has been officially supported for some time. These clients use the old LanMan -network logon facilities that are supported in Samba since approximately the Samba-1.9.15 series. - - groupmapping Samba-3 implements group mapping between Windows NT groups and UNIX groups (this is really quite complicated @@ -261,10 +249,9 @@ Windows and UNIX. machine trust account trust accountmachine machine account -Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store user and Machine Trust +Samba-4, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store user and Machine Trust Account information in a suitable backend data-store. Refer to MS -Windows Workstation/Server Machine Trust Accounts. With Samba-3 there can be multiple backends for -this. A complete discussion of account database backends can be found in Account +Windows Workstation/Server Machine Trust Accounts. A complete discussion of account database backends can be found in Account Information Databases. @@ -433,7 +420,9 @@ user and group identity information can be distributed makes it an an unavoidabl BDC LDAP e-Directory -At this time, the use of Samba based BDCs, necessitates the use of LDAP. The most commonly used LDAP +At this time, the use of Samba based BDCs, necessitates the use of +either the Samba-4 Active Directory Domain controller or, for classic +(NT4-like)domains an LDAP backend. The most commonly used LDAP implementation used by Samba sites is OpenLDAP. It is possible to use any standards compliant LDAP server. Those known to work includes those manufactured by: IBM, CA, Novell (e-Directory), and others. @@ -476,30 +465,26 @@ dictates that the entire infrastructure needs to be balanced. It is advisable to BDC authenticatior synchronization +FSMO +Flexible Single Master OperatorFSMO Security Account ManagerSAM In the case of MS Windows NT4-style domains, it is the PDC that initiates a new domain control database. This forms a part of the Windows registry called the Security Account Manager (SAM). It plays a key part in NT4-type domain user authentication and in synchronization of the domain authentication -database with BDCs. - - - -domaincontrollerhierarchy -LDAP -accountbackend -machine account -With MS Windows 200x Server-based Active Directory domains, one domain controller initiates a potential -hierarchy of domain controllers, each with its own area of delegated control. The master domain -controller has the ability to override any downstream controller, but a downline controller has -control only over its downline. With Samba-3, this functionality can be implemented using an -LDAP-based user and machine account backend. +database with BDCs. With Active Directory domains, while some servers +may be a Flexible Single Master Operator (FSMO) role owner (and +therefore hold the monopoly for certain operations), it is in general +a distributed, multi-master replicated directory. backend database registry -New to Samba-3 is the ability to use a backend database that holds the same type of data as the NT4-style SAM -database (one of the registry files)See also Account Information +Samba-4 can use a backend database that holds the same type of data as the NT4-style SAM +database (one of the registry files). For BDC/BDC operations in a +classic domain, this functionality can be implemented using an +LDAP-based user and machine account backend. The Samba-4 Active +Directory Domain controller implements the required storage internally.See also Account Information Databases. @@ -547,13 +532,6 @@ time choices offered are: has its own authentication database, and plays no role in domain security. - -promote -Algin Technology LLC provide a commercial tool that makes it possible to promote a Windows NT4 standalone -server to a PDC or a BDC, and also permits this process to be reversed. Refer to the Algin web site for further information. - - domaincontrolrole native member @@ -577,26 +555,6 @@ excluding the SAM replication components. However, please be aware that Samba-3 MS Windows 200x domain control protocols. - -ADS -At this time any appearance that Samba-3 is capable of acting as a domain controller in -native ADS mode is limited and experimental in nature. This functionality should not be used until the Samba -Team offers formal support for it. At such a time, the documentation will be revised to duly reflect all -configuration and management requirements. Samba can act as a NT4-style domain controller in a Windows 2000/XP -environment. However, there are certain compromises: - - - - No machine policy files. - No Group Policy Objects. - No synchronously executed Active Directory logon scripts. - Can't use Active Directory management tools to manage users and machines. - Registry changes tattoo the main registry, while with Active Directory they do not leave - permanent changes in effect. - Without Active Directory you cannot perform the function of exporting specific - applications to specific users or groups. - - @@ -662,24 +620,6 @@ NT4/200x/XP clients: Configuring MS Windows NT4/2000 Professional and Windows XP Professional client machines to become domain members. - -The following provisions are required to serve MS Windows 9x/Me clients: - - - - Configuration of basic TCP/IP and MS Windows networking. - Correct designation of the server role (user). - Network logon configuration (since Windows 9x/Me/XP Home are not technically domain - members, they do not really participate in the security aspects of Domain logons as such). - Roaming profile configuration. - Configuration of system policy handling. - Installation of the network driver Client for MS Windows Networks and configuration - to log onto the domain. - Placing Windows 9x/Me clients in user-level security &smbmdash; if it is desired to allow - all client-share access to be controlled according to domain user/group identities. - Adding and managing domain user accounts. - - roaming profiles account policies @@ -754,10 +694,6 @@ smb.conf file for an example PDC. BELERIAND &example.workgroup; tdbsam -33 -auto -yes -yes user yes \\%N\profiles\%U @@ -809,24 +745,12 @@ The basic options shown in this example are e Domain Control Parameters - os level - preferred master - domain master networklogon - The parameters os level, preferred master, domain master, security, - encrypt passwords, and domain logons play a central role in assuring domain + The parameters domain logons + parameter is the key parameter indicating domain control and network logon support. - - DMB - encryped password - The os level must be set at or above a value of 32. A domain controller - must be the DMB, must be set in user mode security, - must support Microsoft-compatible encrypted passwords, and must provide the network logon - service (domain logons). Encrypted passwords must be enabled. For more details on how - to do this, refer to Account Information Databases. - Environment Parameters @@ -883,7 +807,6 @@ of operation. The following &smb.conf; parameters are the essentials alone: BELERIAND &example.workgroup; Yes -Yes User @@ -936,7 +859,8 @@ an integral part of the essential functionality that is provided by a domain con domain logon All domain controllers must run the netlogon service (domain logons -in Samba). One domain controller must be configured with Yes +in Samba). One domain controller must be configured without the + parameter (the PDC); on all BDCs set the parameter No. @@ -948,7 +872,7 @@ in Samba). One domain controller must be configured with Yes -(Yes on PDC, No on BDCs) +(omit on PDC, No on BDCs) Network Logon Service -- cgit