From e4840f0db911eaf3aee1195030c6efca70d78f14 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Dec 2001 07:37:58 +0000 Subject: merge from 2.2 (This used to be commit c5ee06b7c8fc9f1fec679acc7d7f47f333707456) --- docs/docbook/howto/DOMAIN_MEMBER.sgml | 163 ------- docs/docbook/howto/NT_Security.sgml | 342 -------------- docs/docbook/howto/samba-pdc-howto.sgml | 778 -------------------------------- 3 files changed, 1283 deletions(-) delete mode 100644 docs/docbook/howto/DOMAIN_MEMBER.sgml delete mode 100644 docs/docbook/howto/NT_Security.sgml delete mode 100644 docs/docbook/howto/samba-pdc-howto.sgml (limited to 'docs/docbook/howto') diff --git a/docs/docbook/howto/DOMAIN_MEMBER.sgml b/docs/docbook/howto/DOMAIN_MEMBER.sgml deleted file mode 100644 index 888b801742..0000000000 --- a/docs/docbook/howto/DOMAIN_MEMBER.sgml +++ /dev/null @@ -1,163 +0,0 @@ - - -
- - - - Joining an NT Domain with Samba 2.2 - - In order for a Samba-2 server to join an NT domain, - you must first add the NetBIOS name of the Samba server to the - NT domain on the PDC using Server Manager for Domains. This creates - the machine account in the domain (PDC) SAM. Note that you should - add the Samba server as a "Windows NT Workstation or Server", - NOT as a Primary or backup domain controller. - - Assume you have a Samba-2 server with a NetBIOS name of - SERV1 and are joining an NT domain called - DOM, which has a PDC with a NetBIOS name - of DOMPDC and two backup domain controllers - with NetBIOS names DOMBDC1 and DOMBDC2 - . - - In order to join the domain, first stop all Samba daemons - and run the command: - - root# smbpasswd -j DOM -r DOMPDC - - - as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. If this is successful you will see the message: - - smbpasswd: Joined domain DOM. - - - in your terminal window. See the - smbpasswd(8) man page for more details. - - This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally : - - /usr/local/samba/private - - In Samba 2.0.x, the filename looks like this: - - <NT DOMAIN NAME>. - <Samba Server Name>.mac - - The .mac suffix stands for machine account - password file. So in our example above, the file would be called: - - DOM.SERV1.mac - - In Samba 2.2, this file has been replaced with a TDB - (Trivial Database) file named secrets.tdb. - - - - This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file. - - Now, before restarting the Samba daemons you must - edit your smb.conf(5) - file to tell Samba it should now use domain security. - - Change (or add) your - security = line in the [global] section - of your smb.conf to read: - - security = domain - - Next change the - workgroup = line in the [global] section to read: - - workgroup = DOM - - as this is the name of the domain we are joining. - - You must also have the parameter - encrypt passwords set to yes - in order for your users to authenticate to the NT PDC. - - Finally, add (or modify) a - password server = line in the [global] - section to read: - - password server = DOMPDC DOMBDC1 DOMBDC2 - - These are the primary and backup domain controllers Samba - will attempt to contact in order to authenticate users. Samba will - try to contact each of these servers in order, so you may want to - rearrange this list in order to spread out the authentication load - among domain controllers. - - Alternatively, if you want smbd to automatically determine - the list of Domain controllers to use for authentication, you may - set this line to be : - - password server = * - - This method, which was introduced in Samba 2.0.6, - allows Samba to use exactly the same mechanism that NT does. This - method either broadcasts or uses a WINS database in order to - find domain controllers to authenticate against. - - Finally, restart your Samba daemons and get ready for - clients to begin using domain security! - - - - Why is this better than security = server? - - Currently, domain security in Samba doesn't free you from - having to create local Unix users to represent the users attaching - to your server. This means that if domain user DOM\fred - attaches to your domain security Samba server, there needs - to be a local Unix user fred to represent that user in the Unix - filesystem. This is very similar to the older Samba security mode - security = server, - where Samba would pass through the authentication request to a Windows - NT server in the same way as a Windows 95 or Windows 98 server would. - - - The advantage to domain-level security is that the - authentication in domain-level security is passed down the authenticated - RPC channel in exactly the same way that an NT server would do it. This - means Samba servers now participate in domain trust relationships in - exactly the same way NT servers do (i.e., you can add Samba servers into - a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC. - - In addition, with security = server every Samba - daemon on a server has to keep a connection open to the - authenticating server for as long as that daemon lasts. This can drain - the connection resources on a Microsoft NT server and cause it to run - out of available connections. With security = domain, - however, the Samba daemons connect to the PDC/BDC only for as long - as is necessary to authenticate the user, and then drop the connection, - thus conserving PDC connection resources. - - And finally, acting in the same manner as an NT server - authenticating to a PDC means that as part of the authentication - reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. All - this information will allow Samba to be extended in the future into - a mode the developers currently call appliance mode. In this mode, - no local Unix users will be necessary, and Samba will generate Unix - uids and gids from the information passed back from the PDC when a - user is authenticated, making a Samba server truly plug and play - in an NT domain environment. Watch for this code soon. - - NOTE: Much of the text of this document - was first published in the Web magazine - LinuxWorld as the article Doing - the NIS/NT Samba. - - -
diff --git a/docs/docbook/howto/NT_Security.sgml b/docs/docbook/howto/NT_Security.sgml deleted file mode 100644 index 62550bfaa6..0000000000 --- a/docs/docbook/howto/NT_Security.sgml +++ /dev/null @@ -1,342 +0,0 @@ - - -
- - - - Viewing and changing UNIX permissions using the NT - security dialogs - - - New in the Samba 2.0.4 release is the ability for Windows - NT clients to use their native security settings dialog box to - view and modify the underlying UNIX permissions. - - Note that this ability is careful not to compromise - the security of the UNIX host Samba is running on, and - still obeys all the file permission rules that a Samba - administrator can set. - - In Samba 2.0.4 and above the default value of the - parameter - nt acl support has been changed from - false to true, so - manipulation of permissions is turned on by default. - - - - How to view file security on a Samba share - - From an NT 4.0 client, single-click with the right - mouse button on any file or directory in a Samba mounted - drive letter or UNC path. When the menu pops-up, click - on the Properties entry at the bottom of - the menu. This brings up the normal file properties dialog - box, but with Samba 2.0.4 this will have a new tab along the top - marked Security. Click on this tab and you - will see three buttons, Permissions, - Auditing, and Ownership. - The Auditing button will cause either - an error message A requested privilege is not held - by the client to appear if the user is not the - NT Administrator, or a dialog which is intended to allow an - Administrator to add auditing requirements to a file if the - user is logged on as the NT Administrator. This dialog is - non-functional with a Samba share at this time, as the only - useful button, the Add button will not currently - allow a list of users to be seen. - - - - Viewing file ownership - - Clicking on the "Ownership" button - brings up a dialog box telling you who owns the given file. The - owner name will be of the form : - - "SERVER\user (Long name)" - - Where SERVER is the NetBIOS name of - the Samba server, user is the user name of - the UNIX user who owns the file, and (Long name) - is the discriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). Click on the Close - button to remove this dialog. - - If the parameter nt acl support - is set to false then the file owner will - be shown as the NT user "Everyone". - - The Take Ownership button will not allow - you to change the ownership of this file to yourself (clicking on - it will display a dialog box complaining that the user you are - currently logged onto the NT client cannot be found). The reason - for this is that changing the ownership of a file is a privilaged - operation in UNIX, available only to the root - user. As clicking on this button causes NT to attempt to change - the ownership of a file to the current user logged into the NT - client this will not work with Samba at this time. - - There is an NT chown command that will work with Samba - and allow a user with Administrator privillage connected - to a Samba 2.0.4 server as root to change the ownership of - files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the Seclib - NT security library written by Jeremy Allison of - the Samba Team, available from the main Samba ftp site. - - - - - Viewing file or directory permissions - - The third button is the "Permissions" - button. Clicking on this brings up a dialog box that shows both - the permissions and the UNIX owner of the file or directory. - The owner is displayed in the form : - - "SERVER\user (Long name)" - - Where SERVER is the NetBIOS name of - the Samba server, user is the user name of - the UNIX user who owns the file, and (Long name) - is the discriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). - - If the parameter nt acl support - is set to false then the file owner will - be shown as the NT user "Everyone" and the - permissions will be shown as NT "Full Control". - - - The permissions field is displayed differently for files - and directories, so I'll describe the way file permissions - are displayed first. - - - File Permissions - - The standard UNIX user/group/world triple and - the correspinding "read", "write", "execute" permissions - triples are mapped by Samba into a three element NT ACL - with the 'r', 'w', and 'x' bits mapped into the corresponding - NT permissions. The UNIX world permissions are mapped into - the global NT group Everyone, followed - by the list of permissions allowed for UNIX world. The UNIX - owner and group permissions are displayed as an NT - user icon and an NT local - group icon respectively followed by the list - of permissions allowed for the UNIX user and group. - - As many UNIX permission sets don't map into common - NT names such as "read", - "change" or "full control" then - usually the permissions will be prefixed by the words - "Special Access" in the NT display list. - - But what happens if the file has no permissions allowed - for a particular UNIX user group or world component ? In order - to allow "no permissions" to be seen and modified then Samba - overloads the NT "Take Ownership" ACL attribute - (which has no meaning in UNIX) and reports a component with - no permissions as having the NT "O" bit set. - This was chosen of course to make it look like a zero, meaning - zero permissions. More details on the decision behind this will - be given below. - - - - Directory Permissions - - Directories on an NT NTFS file system have two - different sets of permissions. The first set of permissions - is the ACL set on the directory itself, this is usually displayed - in the first set of parentheses in the normal "RW" - NT style. This first set of permissions is created by Samba in - exactly the same way as normal file permissions are, described - above, and is displayed in the same way. - - The second set of directory permissions has no real meaning - in the UNIX permissions world and represents the - "inherited" permissions that any file created within - this directory would inherit. - - Samba synthesises these inherited permissions for NT by - returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive. - - - - - Modifying file or directory permissions - - Modifying file and directory permissions is as simple - as changing the displayed permissions in the dialog box, and - clicking the OK button. However, there are - limitations that a user needs to be aware of, and also interactions - with the standard Samba permission masks and mapping of DOS - attributes that need to also be taken into account. - - If the parameter nt acl support - is set to false then any attempt to set - security permissions will fail with an "Access Denied" - message. - - The first thing to note is that the "Add" - button will not return a list of users in Samba 2.0.4 (it will give - an error message of "The remote proceedure call failed - and did not execute"). This means that you can only - manipulate the current user/group/world permissions listed in - the dialog box. This actually works quite well as these are the - only permissions that UNIX actually has. - - If a permission triple (either user, group, or world) - is removed from the list of permissions in the NT dialog box, - then when the "OK" button is pressed it will - be applied as "no permissions" on the UNIX side. If you then - view the permissions again the "no permissions" entry will appear - as the NT "O" flag, as described above. This - allows you to add permissions back to a file or directory once - you have removed them from a triple component. - - As UNIX supports only the "r", "w" and "x" bits of - an NT ACL then if other NT security attributes such as "Delete - access" are selected then they will be ignored when applied on - the Samba server. - - When setting permissions on a directory the second - set of permissions (in the second set of parentheses) is - by default applied to all files within that directory. If this - is not what you want you must uncheck the "Replace - permissions on existing files" checkbox in the NT - dialog before clicking "OK". - - If you wish to remove all permissions from a - user/group/world component then you may either highlight the - component and click the "Remove" button, - or set the component to only have the special "Take - Ownership" permission (dsplayed as "O" - ) highlighted. - - - - Interaction with the standard Samba create mask - parameters - - Note that with Samba 2.0.5 there are four new parameters - to control this interaction. These are : - - security mask - force security mode - directory security mask - force directory security mode - - Once a user clicks "OK" to apply the - permissions Samba maps the given permissions into a user/group/world - r/w/x triple set, and then will check the changed permissions for a - file against the bits set in the - security mask parameter. Any bits that - were changed that are not set to '1' in this parameter are left alone - in the file permissions. - - Essentially, zero bits in the security mask - mask may be treated as a set of bits the user is not - allowed to change, and one bits are those the user is allowed to change. - - - If not set explicitly this parameter is set to the same value as - the create mask - parameter to provide compatibility with Samba 2.0.4 - where this permission change facility was introduced. To allow a user to - modify all the user/group/world permissions on a file, set this parameter - to 0777. - - Next Samba checks the changed permissions for a file against - the bits set in the - force security mode parameter. Any bits - that were changed that correspond to bits set to '1' in this parameter - are forced to be set. - - Essentially, bits set in the force security mode - parameter may be treated as a set of bits that, when - modifying security on a file, the user has always set to be 'on'. - - If not set explicitly this parameter is set to the same value - as the force - create mode parameter to provide compatibility - with Samba 2.0.4 where the permission change facility was introduced. - To allow a user to modify all the user/group/world permissions on a file, - with no restrictions set this parameter to 000. - - The security mask and force - security mode parameters are applied to the change - request in that order. - - For a directory Samba will perform the same operations as - described above for a file except using the parameter - directory security mask instead of security - mask, and force directory security mode - parameter instead of force security mode - . - - The directory security mask parameter - by default is set to the same value as the directory mask - parameter and the force directory security - mode parameter by default is set to the same value as - the force directory mode parameter to provide - compatibility with Samba 2.0.4 where the permission change facility - was introduced. - - In this way Samba enforces the permission restrictions that - an administrator can set on a Samba share, whilst still allowing users - to modify the permission bits within that restriction. - - If you want to set up a share that allows users full control - in modifying the permission bits on their files and directories and - doesn't force any particular bits to be set 'on', then set the following - parameters in the smb.conf(5) - file in that share specific section : - - security mask = 0777 - force security mode = 0 - directory security mask = 0777 - force directory security mode = 0 - - As described, in Samba 2.0.4 the parameters : - - create mask - force create mode - directory mask - force directory mode - - were used instead of the parameters discussed here. - - - - Interaction with the standard Samba file attribute - mapping - - Samba maps some of the DOS attribute bits (such as "read - only") into the UNIX permissions of a file. This means there can - be a conflict between the permission bits set via the security - dialog and the permission bits set by the file attribute mapping. - - - One way this can show up is if a file has no UNIX read access - for the owner it will show up as "read only" in the standard - file attributes tabbed dialog. Unfortunately this dialog is - the same one that contains the security info in another tab. - - What this can mean is that if the owner changes the permissions - to allow themselves read access using the security dialog, clicks - "OK" to get back to the standard attributes tab - dialog, and then clicks "OK" on that dialog, then - NT will set the file permissions back to read-only (as that is what - the attributes still say in the dialog). This means that after setting - permissions and clicking "OK" to get back to the - attributes dialog you should always hit "Cancel" - rather than "OK" to ensure that your changes - are not overridden. - - -
diff --git a/docs/docbook/howto/samba-pdc-howto.sgml b/docs/docbook/howto/samba-pdc-howto.sgml deleted file mode 100644 index 4b8380dd9e..0000000000 --- a/docs/docbook/howto/samba-pdc-howto.sgml +++ /dev/null @@ -1,778 +0,0 @@ - - - - -The Samba 2.2 PDC HowTo - - - - - - DavidBannon - La Trobe University - - November 2000 - - - - - Comments, corrections and additions to dbannon@samba.org - - - This document explains how to setup Samba as a Primary Domain Controller and - applies to version 2.2.0. - Before - using these functions make sure you understand what the controller can and cannot do. - Please read the sections below in the Introduction. - As 2.2.0 is incrementally updated - this document will change or become out of date very quickly, make sure you are - reading the most current version. - - - Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1, - Samba 2.0.7, TNG nor HEAD branch. - - It does apply to the current (post November 27th) cvs. - - - Also available is an updated version of Jerry Carter's NTDom - FAQ that will answer lots of - the special 'tuning' questions that are not covered here. Over the next couple of weeks - some of the items here will be moved to the FAQ. - - - - - - - - - -Introduction - - -This document will show you one way of making Version 2.2.0 -of Samba perform some of the tasks of a -NT Primary Domain Controller. The facilities described are built into Samba as a result of -development work done over a number of years by a large number of people. These facilities -are only just beginning to be officially supported and although they do appear to work reliably, -if you use them then you take the risks upon your self. This document does not cover the -developmental versions of Samba, particularly -Samba-TNG - - - - - -Note that Samba 2.0.7 - supports significently less of the NT Domain facilities compared with 2.2.0 - - - - This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by - John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide - more detail and an insight to the development - cycle and should be considered 'further reading'. - - - - -What can we do ? - - Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central - password database. WRT W2K, please see the section about adding machine - accounts and the Intro in the FAQ. - Grant Administrator privileges to particular domain users on an - NT or W2K workstation. - Apply policies from a domain policy file to NT and W2K (?) - workstation. - Run the appropriate logon script when a user logs on to the domain - . - Maintain a user's local profile on the server. - Validate a user using another system via smb (such as smb_pam) and - soon winbind (?). - - - - -What can't we do ? - - Become or work with a Backup Domain Controller (a BDC). - Participate in any sort of trust relationship (with either Samba or NT - Servers). - Offer a list of domain users to User Manager for Domains - on the Security Tab etc). - Be a W2K type of Domain Controller. Samba PDC will behave like - an NT PDC, W2K workstations connect in legacy mode. - - - - - - - - -Installing - - Installing consists of the usual download, configure, make and make - install process. These steps are well documented elsewhere. - The FAQ discusses getting pre-release versions via CVS. - Then you need to configure the server. - -Start Up Script - Skip this section if you have a working Samba already. - Everyone has their own favourite startup script. Here is mine, offered with no warrantee - at all ! - - - - #!/bin/sh - # Script to control Samba server, David Bannon, 14-6-96 - # - # - PATH=/bin:/usr/sbin:/usr/bin - export PATH - case "$1" in - 'start') - if [ -f /usr/local/samba/bin/smbd ] - then - /usr/local/samba/bin/smbd -D - /usr/local/samba/bin/nmbd -D - echo "Starting Samba Server" - fi - ;; - 'conf') - if [ -f /usr/local/samba/lib/smb.conf ] - then - vi /usr/local/samba/lib/smb.conf - fi - ;; - 'pw') - if [ -f /usr/local/samba/private/smbpasswd ] - then - vi /usr/local/samba/private/smbpasswd - fi - ;; - 'who') - /usr/local/samba/bin/smbstatus -b - ;; - 'restart') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -HUP $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - ;; - 'stop') - psline=`/bin/ps x | grep smbd | grep -v grep` - - if [ "$psline" != "" ] - then - while [ "$psline" != "" ] - do - psline=`/bin/ps x | fgrep smbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped $pid line = $psline" - sleep 2 - fi - done - fi - echo "Stopped Samba servers" - psline=`/bin/ps x | grep nmbd | grep -v grep` - if [ "$psline" ] - then - set -- $psline - pid=$1 - /bin/kill -9 $pid - echo "Stopped Name Server " - fi - echo "Stopped Name Servers" - ;; - *) - echo "usage: samba {start | restart |stop | conf | pw | who}" - ;; - esac - - - - Use this script, or some other one, you will need to ensure its used while the machine - is booting. (This typically involves /etc/rc.d, we'll be - assuming that there is a script called - samba in /etc/rc.d/init.d further down in this document.) - - - -Config File - -A sample conf file - Here is a fairly minimal config file to do PDC. It will also make the server - become the browse master for the - specified domain (not necessary but usually desirable). You will need to change only - two parameters to make this - file work, wins server and workgroup, plus - you will need to put your own name (not mine!) in the domain admin users fields. - Some of the parameters are discussed further down this document. - - Assuming you have used the default install directories, this file should appear as - /usr/local/samba/lib/smb.conf. It should not be - writable by anyone except root. - - The 'add user script' parameter is a work-around, watch for changes ! - - - - [global] - security = user - status = yes - workgroup = { Your domain name here } - wins server = { ip of a wins server if you have one } - encrypt passwords = yes - domain logons =yes - logon script = scripts\%U.bat - domain admin group = @adm - add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$ - guest account = ftp - share modes=no - os level=65 - [homes] - guest ok = no - read only = no - create mask = 0700 - directory mask = 0700 - oplocks = false - locking = no - [netlogon] - path = /usr/local/samba/netlogon - writeable = no - guest ok = no - - - - - -PDC Config Parameters - - -There are a huge range of parameters that may appear in a smb.conf file. Some - that may be of interest to a PDC are : - -add user script - This parameter specifies a script (or program) that will be run - to add a user to the system. Here it is being used to add a machine, not a user. - This is probably not very nice and may change. But it does work ! - - For this example, I have a group called 'machines', entries can be added to - /etc/passwd using a programme called /usr/adduser and - the other parameters are chosen as suitable for a machine account. Works for - RH Linux, your system may require changes. - - - - -domain admin group = @adm - This parameter specifies a unix group whose members will be granted - admin privileges on a NT workstation when - logged onto that workstation. See the section called - Domain Admin Accounts. - - - -domain admin users = user1 users2 - It appears that this parameter does not funtion correctly at present. - Use the 'domain admin group' instread. This parameter specifies a unix user who will - be granted admin privileges - on a NT workstation when - logged onto that workstation. See the section called - Domain Admin Accounts. - - - -encrypt passwords = yes - This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that - turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you - should) you must use encrypted passwords. - - - -logon script = scripts\%U.bat - This will make samba look for a logon script named after the user - (eg joeblow.bat). - See the section further on called Logon Scripts - Note that the slash is like this '\', not like this '/'. - NT is happy with both, win95 is not ! - - - -logon path - Lets you specify where you would like users profiles kept. The default, that is in the users - home directory, does encourage a bit of fiddling. - - - - - - - - - - -Special directories - You need to create a couple of special files and directories. Its nice - to have some of the binaries handy too, so I create links to them. Assuming - you have used the default samba location and have not - changed the locations mentioned in the sample config file, do the following : - - - - mkdir /usr/local/samba/netlogon - mkdir /usr/local/samba/netlogon/scripts - mkdir /usr/local/samba/private - touch /usr/local/samba/private/smbpasswd - chmod go-rwx /usr/local/samba/private/smbpasswd - cd /usr/local/sbin - ln -s /usr/local/samba/bin/smbpasswd - ln -s /usr/local/samba/bin/smbclient - ln -s /etc/rc.d/init.d/samba - - - Make sure permissions are appropriate ! - - OK, if you have used the scripts above and have a path to where the links are do this to start up - the Samba Server : - - samba start - - Instead, you might like to reboot the machine to make sure that you - got the init stuff right. Any way, a quick look in the logs - /usr/local/samba/var/log.smbd and - /usr/local/samba/var/log/nmbd - will give you an idea of what's happening. Assuming all is well, lets create - some accounts... - - - - - -User and Machine Accounts -Logon Accounts - - This section is very nearly out of date already ! It - appears that while you are reading it, Jean Francois Micou is making it - redundant ! Jean Francois is adding facilities to add users - (via User Manager) and machines (when joining the domain) and it looks like these facilities will - make it into the official release of 2.2. - - - Every user and NTws (and other samba servers) that will be on the domain - must have its own passwd entry in both /etc/passwd and - /usr/local/samba/private/smbpasswd . - The /etc/passwd entry is really - only to reserve a user ID. The NT encrypted password is stored in - /usr/local/samba/private/smbpasswd. - (Note that win95/98 machines don't need an account as they don't do - any security aware things.) - - Samba 2.2 will now create these entries for us. Carefull set up is required - and there may well be some changes to this system before its released. - - - -Machine Accounts - - There is an entry in the ntdom FAQ explaining how to create - machine entries manually. - - -<emphasis>At present</> to have the machine accounts created when a machine joins - the domain a number of conditions must be met : - -Only root can do it ! - There must be an entry in /usr/local/samba/private/smbpasswd - for root and root must be mentioned in domain admins. This may - be fixed some time in the future so any 'domain admin' can do it. If you don't - like having root as a windows logon account, make the machine - entries manually (both of them). - - - -Use the add user script - Again, this looks a bit like a 'work around'. Use a suitable - command line to add a machine account see above, - and pass it %m$, that is %m to get machine name plus the '$'. Now, this - means you cannot use the add user script to really add users .... - - - -Only for W2K - This automatic creation of machine accounts does not work for - NT4ws at present. Watch this space. - - - - -Joining the Domain - - You must have either added the machine account entries manually (NT4 ws) - or set up the automatic system (W2K), see Machine Accounts - before proceeding. - - -Windows NT - - (this step may not be necessary some time in the near future). - On the samba server that is the PDC, add a machine account manually - as per the instructions in the FAQ - Then give the command smbpasswd -a -m {machine} substituting in the - client machine name. - Logon to the NTws in question as a local admin, go to the - Control Panel, Network IdentificationTag. - Press the Change button. - Enter the Domain name (from the 'Workgroup' parameter, smb.conf) - in the Domain Field. - - Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'. - Allow to reboot. - - - -Windows 2000 - - Logon to the W2k machine as Administrator, go to the Control - Panel and double click on Network and Dialup Connections. - - Pull down the Advanced menu and choose - Network Identification. Press Properties - . - Choose Domain and enter the domain name. Press 'OK'. - Now enter a user name and password for a Domain Admin - (Who must be root until a pre-release bug is fixed) and press - 'OK'. - Wait for the confirmation, reboot when prompted. - - To remove a W2K machine from the domain, follow the first two steps then - choose Workgroup, enter a work group name (or just WORKGROUP) and follow - the prompts. - - - - - - - -User Accounts - - Again, doing it manually (cos' the auto way is not working pre-release). - - In our simple case every domain user should have an account on the PDC. The - account may have a null shell if they are not allowed to log on to the unix - prompt. Again they need an entry in both the /etc/passwd and - /usr/local/samba/private/smbpasswd. Again a password is - not necessary in /etc/passwd but the location - of the home directory is honoured. - To make an entry for a user called Joe Blow you would typically do the following : - - adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow - - smbpasswd -a joeblow - - And you will prompted to enter a password for Joe. Ideally he will be - hovering over your shoulder and will, when asked, type in a password of - his choice. There are a number of scripts and systems to ease the migration of users - from somewhere to samba. Better start looking ! - - -Domain Admin Accounts - - Certain operations demand that the logged on user has Administrator - privileges, typically installing software and - doing maintenance tasks. It is very simple to appoint some users as Domain Admins, - most likely yourself. Make - sure you trust the appointee ! - - Samba 2.2 recognizes particular users as being - domain admins and tells the NTws when it thinks that it has got one logged on. - In the smb.conf file we declare - that the Domain Admin group = @adm. - Any user who is a menber of the unix group 'adm' is treated as a Domain Admin by a NTws when - logged onto the Domain. They will have full Administrator rights - including the rights to change permissions on files and run the system - utilities such as Disk Administrator. Add users to the group by editing - /etc/group/. You do not need to use the 'adm' group, choose any one you like. - - Further, and this is very new, they will be allowed to create a - new machine account when first connecting a new NT or W2K machine to - the domain. However, at present, ie pre-release, only a Domain Admin who - also happens to be root can do so. - - - - - - -Profiles, Policies and Logon Scripts - -Profiles - - NT Profiles should work if you have followed the setup so far. - A user's profile contains a whole lot of their personal settings, - the contents of their desktop, personal 'My Documents' and so on. - When they log off, all of the profile is copied to their directory - on the server and is downloaded again when they logon on again, possibly - on another client machine. - - Sounds great but can be a bit of a bug bear sometimes. Users let - their profiles get too big and then complain about how long it takes - to log on each time. This sample setup only supports NT profiles, - rumor has it that it is also possible to do the same on Win95, my - users don't know and I'm not telling them. - - There is more info about Profiles (including for W95/98) - in the FAQ. - - -Policies - - Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol - file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws. - Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or - maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles - on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor - that comes with NTws. - - See the FAQ for pointers on how to get a suitable Policy Editor. - - The Policy Editor (and associated files) will create a - ntconfig.pol file using the - parameters Microsoft thought of and parameters you specify by making your own - template file. - - In our example configuration here, Samba will expect to find - the ntconfig.pol file in - /usr/local/samba/netlogon. Needless to say (I hope !), - it is vitally important that ordinary users don't have - write permission to the Policy files. - - -Logon Scripts - - In the sample config file above there is a line - logon script = scripts\%U.bat - - Note that the slash is like this '\' not like this '/'. - NT is happy with both, win95 is not ! - - This allows you to run a dos batch file every time someone logs on. The batch - file is located on the server, in the sample install mentioned here, - its in /usr/local/samba/netlogon/scripts and - is named after the user with .bat appended, eg Joe - Blow's script is called /usr/local/samba/netlogon/scripts/joeblow.bat. - - There is a suggestion that user names longer than 8 characters may cause - problems with some systems being unable to run logon scripts. This is confirmed in earlier - versions when connecting using W95, comments about other combinations ?? - - You could use a line like this logon script = default.bat and samba - will supply /usr/local/samba/netlogon/default.bat for any client and every - user. Maybe you could use %m and get a client machine dependant logon script. - You get the idea... - - Note that the file is a dos batch file not a Unix script. It runs dos commands on the client - computer with the logon user's permissions. It must be a dos file with each line ending with - the dos cr/lf not a nice clean newline. Generally, - its best to create the initial file on a DOS system and copy it across. - - There is lots of very clever uses of the Samba replaceable variables such - ( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to - give you control over which script runs when a particular person logs - on. (Gee, it would be nice to have a default.bat run when nothing else is available.) - - Again, it is vitally important that ordinary users don't have write - permission to other peoples, or even probably their own, logon script files. - - A typical logon script is reproduced below. Note that it runs separate - commands for win95 and NT, that's because NT has slightly different behaviour - when using the net use .. command. Its useful for lots of - other situations too. I don't know what syntax to use for win98, I don't use it - here. - - - - rem Default logon script, create links to this file. - - net time \\bioserve /set /yes - @echo off - if %OS%.==Windows_NT. goto WinNT - - :Win95 - net use k: \\trillion\bio_prog - net use p: \\bcfile\homes - goto end - :WinNT - net use k: \\trillion\bio_prog /persistent:no - net use p: \\bcfile\homes /persistent:no - - :end - - - - - -Passwords and Authentication - - So far our configuration assumes that ordinary users don't have unix logon access. A change - to the adduser line above would allow unix logon - but it would be with passwords that may - be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users - that they need to change their passwords in two seperate places is not fun. - Further, even if they cannot do a unix logon there are other processes that - might require authentication. We have a nice securely encrypted password in - /usr/local/samba/private/smbpasswd, why not use it ? - -</> -<sect2><title>Syncing Passwords - - Yes, its possible and seems the easiest way (initially anyway). - The FAQ details how to - do so in the sections What is password sync and should I use it ? and - How do I get remote password (unix and SMB) changing working ? - - - -Using PAM - Pam enabled systems have a much better solution available. The Samba - PDC server will offer to authenticate domain users to other processes - (either on this server or on the domain). With a suitable pam stack - such as Pam_smb - you can get any pam aware application looking to the samba password and - can leave the password field in /etc/shadow - or /etc/passwd invalid. - - -Authenticating other Samba Servers - In a domain that has a number of servers you only need one password database. - The machines that don't have their own ask the PDC to check for them. - This will work fine for a domain controlled by either a Samba or NT machine. - - To do so the Samba machine must be told to refer to the PDC and where the PDC is. - See the section in the NTDom FAQ called How do I get my samba server to - become a member ( not PDC ) of an NT domain? - - - - - - - -Background - - -History - - It might help you understand the limitations of the PDC in Samba if you - read something of its history. Well, the history as I understand it anyway. - - For many years the Samba team have been developing Samba, some time ago - a number of people, possibly lead by Luke Leighton started contributing NT - PDC stuff. This was added to the 'head' stream (that would eventually - become the next version) and later to a seperate stream (NTDom). They did so - much that eventually this development stream was so mutated that it could not - be merged back into the main stream and was abandoned towards the end of 1999. - And that was very sad because many users, myself include had become heavily - dependant on the NTController facilities it offered. Oh well... - - The NTDom team continued on with their new found knowledge however and - built the TNG stream. Intended to be carefully controlled so that it can be - merged back into the main stream and benefiting from what they learnt, it is - a very different product to the origional NTDom product. However, for a - number of reasons, the merge did not take place and now TNG is being developed - at http://www.samba-tng.org. - - Now, the NTDom things that the main strean 2.0.x version does is based more - on the old (initial version) abandoned code than on the TNG ideas. It appears - that version 2.2.0 will also include an improved version of the 2.0.7 domain - controller charactistics, not the TNG ways. The developers have indicated - that 2.2.0 will be further developed incrementally and the ideas from TNG - incorporated into it. - - One more little wriggle is worth mentioning. At one stage the NTDom - stream was called Samba 2.1.0-prealpha and similar names. This is most - unfortunate because at least one book published advises people who want to - use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon - be called 2.2.0 and NOT officially supporting NTDom Controlling functions, - the potential for confusion is certainly there. - - -The Future - - There is a document on the Samba mirrors called 'Development' - . It offers the 'best guess' of what is planned for future releases - of Samba. - - The future of Samba as a Primary Domain Controller appears rosie, however - be aware that its the future, not the present. The developers are strongly committed - to building a full featured PDC into Samba but it will take time. If this - version does not meet your requirements then you should consider (in no particular - order) : - - - Wait. No, we don't know how long. Repeated asking won't help. - Investigate the development versions, TNG perhaps or HEAD where new code is being added - all the time. Realise that development code is often unstable, poorly documented and subject to change. - You will need to use cvs to download development versions. - Join one of the Samba mailing lists so that you can find out - what is happening on the 'bleeding edge'. - - - -Getting further help - - This document cannot possibly answer all your questions. Please understand that its very - likely that someone has been confrounted by the same problem that you have. The - FAQ - discusses a number of possible paths to take to get further help : - - - - Documents on the Samba Sites. - Other web sites. - Mailing list. - - - There is some discussion about guide lines for using the Mailing Lists on the - accompanying FAQ, - please read them before posting. - - - - - - -- cgit