From 0e97dec5949c5b5401391d3267f04898fa796d56 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 3 May 2003 05:51:54 +0000 Subject: Re-arrangement of Chapters 3-8, merges, updates - first installment only. (This used to be commit 549b047994bbaacc8e2e847c80bcb307c9f4a565) --- docs/docbook/projdoc/DOMAIN_MEMBER.xml | 472 +++++++++++++++++++++++---------- 1 file changed, 328 insertions(+), 144 deletions(-) (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.xml') diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index a5921e8ce3..6a3ef28b55 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -3,159 +3,343 @@ &author.jeremy; &author.jerry; - 16 Apr 2001 + &author.jht; - -Samba as a NT4 or Win2k domain member +Domain Membership +Domain Member Server + + +This mode of server operation involves the samba machine being made a member +of a domain security context. This means by definition that all user authentication +will be done from a centrally defined authentication regime. The authentication +regime may come from an NT3/4 style (old domain technology) server, or it may be +provided from an Active Directory server (ADS) running on MS Windows 2000 or later. + + + +Of course it should be clear that the authentication back end itself could be from any +distributed directory architecture server that is supported by Samba. This can be +LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc. + + + +Please refer to the section on Howto configure Samba as a Primary Domain Controller +and for more information regarding how to create a domain machine account for a +domain member server as well as for information regarding how to enable the samba +domain member machine to join the domain and to be fully trusted by it. + - Joining an NT Domain with Samba 3.0 - Assumptions: - - NetBIOS name: SERV1 - Win2K/NT domain name: DOM - Domain's PDC NetBIOS name: DOMPDC - Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 - - - - First, you must edit your &smb.conf; file to tell Samba it should - now use domain security. - - Change (or add) your - security = line in the [global] section - of your &smb.conf; to read: - - security = domain - - Next change the - workgroup = line in the [global] section to read: - - workgroup = DOM - - as this is the name of the domain we are joining. - - You must also have the parameter - encrypt passwords set to yes - in order for your users to authenticate to the NT PDC. - - Finally, add (or modify) a - password server = line in the [global] - section to read: - - password server = DOMPDC DOMBDC1 DOMBDC2 - - These are the primary and backup domain controllers Samba - will attempt to contact in order to authenticate users. Samba will - try to contact each of these servers in order, so you may want to - rearrange this list in order to spread out the authentication load - among domain controllers. - - Alternatively, if you want smbd to automatically determine - the list of Domain controllers to use for authentication, you may - set this line to be : - - password server = * - - This method, allows Samba to use exactly the same - mechanism that NT does. This - method either broadcasts or uses a WINS database in order to - find domain controllers to authenticate against. - - In order to actually join the domain, you must run this - command: - - root# net join -S DOMPDC - -UAdministrator%password - - - If the -S DOMPDC argument is not given then - the domain name will be obtained from smb.conf. - - - as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%password is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message: - - Joined domain DOM. - or Joined 'SERV1' to realm 'MYREALM' - - - in your terminal window. See the - net(8) man page for more details. - - This process joins the server to the domain - without having to create the machine trust account on the PDC - beforehand. - - This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally : - - /usr/local/samba/private/secrets.tdb - - This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file. - - Finally, restart your Samba daemons and get ready for - clients to begin using domain security! - Why is this better than security = server? - - Currently, domain security in Samba doesn't free you from - having to create local Unix users to represent the users attaching - to your server. This means that if domain user DOM\fred - attaches to your domain security Samba server, there needs - to be a local Unix user fred to represent that user in the Unix - filesystem. This is very similar to the older Samba security mode - security = server, - where Samba would pass through the authentication request to a Windows - NT server in the same way as a Windows 95 or Windows 98 server would. - - - Please refer to the Winbind - paper for information on a system to automatically - assign UNIX uids and gids to Windows NT Domain users and groups. - - - The advantage to domain-level security is that the - authentication in domain-level security is passed down the authenticated - RPC channel in exactly the same way that an NT server would do it. This - means Samba servers now participate in domain trust relationships in - exactly the same way NT servers do (i.e., you can add Samba servers into - a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC). - - In addition, with security = server every Samba - daemon on a server has to keep a connection open to the - authenticating server for as long as that daemon lasts. This can drain - the connection resources on a Microsoft NT server and cause it to run - out of available connections. With security = domain, - however, the Samba daemons connect to the PDC/BDC only for as long - as is necessary to authenticate the user, and then drop the connection, - thus conserving PDC connection resources. - - And finally, acting in the same manner as an NT server - authenticating to a PDC means that as part of the authentication - reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. - - Much of the text of this document - was first published in the Web magazine - LinuxWorld as the article Doing - the NIS/NT Samba. +Joining an NT4 type Domain with Samba-3 +Assumptions: + + NetBIOS name: SERV1 + Win2K/NT domain name: DOM + Domain's PDC NetBIOS name: DOMPDC + Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 + + + +First, you must edit your &smb.conf; file to tell Samba it should +now use domain security. + +Change (or add) your +security = line in the [global] section +of your &smb.conf; to read: + +security = domain + +Next change the +workgroup = line in the [global] section to read: + +workgroup = DOM + +as this is the name of the domain we are joining. + +You must also have the parameter +encrypt passwords set to yes + in order for your users to authenticate to the NT PDC. + +Finally, add (or modify) a +password server = line in the [global] +section to read: + +password server = DOMPDC DOMBDC1 DOMBDC2 + +These are the primary and backup domain controllers Samba +will attempt to contact in order to authenticate users. Samba will +try to contact each of these servers in order, so you may want to +rearrange this list in order to spread out the authentication load +among domain controllers. + +Alternatively, if you want smbd to automatically determine +the list of Domain controllers to use for authentication, you may +set this line to be : + +password server = * + +This method, allows Samba to use exactly the same +mechanism that NT does. This +method either broadcasts or uses a WINS database in order to +find domain controllers to authenticate against. + +In order to actually join the domain, you must run this +command: + +root# net join -S DOMPDC +-UAdministrator%password + + +If the -S DOMPDC argument is not given then +the domain name will be obtained from smb.conf. + + +as we are joining the domain DOM and the PDC for that domain +(the only machine that has write access to the domain SAM database) +is DOMPDC. The Administrator%password is +the login name and password for an account which has the necessary +privilege to add machines to the domain. If this is successful +you will see the message: + +Joined domain DOM. +or Joined 'SERV1' to realm 'MYREALM' + + +in your terminal window. See the +net(8) man page for more details. + +This process joins the server to the domain +without having to create the machine trust account on the PDC +beforehand. + +This command goes through the machine account password +change protocol, then writes the new (random) machine account +password for this Samba server into a file in the same directory +in which an smbpasswd file would be stored - normally : + +/usr/local/samba/private/secrets.tdb + +This file is created and owned by root and is not +readable by any other user. It is the key to the domain-level +security for your system, and should be treated as carefully +as a shadow password file. + +Finally, restart your Samba daemons and get ready for +clients to begin using domain security! + + +Why is this better than security = server? + +Currently, domain security in Samba doesn't free you from +having to create local Unix users to represent the users attaching +to your server. This means that if domain user DOM\fred + attaches to your domain security Samba server, there needs +to be a local Unix user fred to represent that user in the Unix +filesystem. This is very similar to the older Samba security mode +security = server, +where Samba would pass through the authentication request to a Windows +NT server in the same way as a Windows 95 or Windows 98 server would. + + +Please refer to the Winbind +paper for information on a system to automatically +assign UNIX uids and gids to Windows NT Domain users and groups. + + +The advantage to domain-level security is that the +authentication in domain-level security is passed down the authenticated +RPC channel in exactly the same way that an NT server would do it. This +means Samba servers now participate in domain trust relationships in +exactly the same way NT servers do (i.e., you can add Samba servers into +a resource domain and have the authentication passed on from a resource +domain PDC to an account domain PDC). + +In addition, with security = server every Samba +daemon on a server has to keep a connection open to the +authenticating server for as long as that daemon lasts. This can drain +the connection resources on a Microsoft NT server and cause it to run +out of available connections. With security = domain, +however, the Samba daemons connect to the PDC/BDC only for as long +as is necessary to authenticate the user, and then drop the connection, +thus conserving PDC connection resources. + +And finally, acting in the same manner as an NT server +authenticating to a PDC means that as part of the authentication +reply, the Samba server gets the user identification information such +as the user SID, the list of NT groups the user belongs to, etc. + + Much of the text of this document +was first published in the Web magazine +LinuxWorld as the article Doing +the NIS/NT Samba. + + +Samba ADS Domain Membership + + +This is a rough guide to setting up Samba 3.0 with kerberos authentication against a +Windows2000 KDC. + + + +Setup your <filename>smb.conf</filename> + +You must use at least the following 3 options in smb.conf: + + + realm = YOUR.KERBEROS.REALM + security = ADS + encrypt passwords = yes + + + +In case samba can't figure out your ads server using your realm name, use the +ads server option in smb.conf: + + ads server = your.kerberos.server + + + +You do *not* need a smbpasswd file, and older clients will + be authenticated as if security = domain, + although it won't do any harm + and allows you to have local users not in the domain. + I expect that the above required options will change soon when we get better + active directory integration. + + + + +Setup your <filename>/etc/krb5.conf</filename> + +Note: you will need the krb5 workstation, devel, and libs installed + +The minimal configuration for krb5.conf is: + + + [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } + + +Test your config by doing a kinit +USERNAME@REALM and +making sure that your password is accepted by the Win2000 KDC. + + +The realm must be uppercase or you will get "Cannot find KDC for requested +realm while getting initial credentials" error + +Time between the two servers must be synchronized. You will get a +"kinit(v5): Clock skew too great while getting initial credentials" if the time +difference is more than five minutes. + + +You also must ensure that you can do a reverse DNS lookup on the IP +address of your KDC. Also, the name that this reverse lookup maps to +must either be the netbios name of the KDC (ie. the hostname with no +domain attached) or it can alternatively be the netbios name +followed by the realm. + + + +The easiest way to ensure you get this right is to add a +/etc/hosts entry mapping the IP address of your KDC to +its netbios name. If you don't get this right then you will get a +"local error" when you try to join the realm. + + + +If all you want is kerberos support in &smbclient; then you can skip +straight to Test with &smbclient; now. +Creating a computer account +and testing your servers +is only needed if you want kerberos support for &smbd; and &winbindd;. + + + + + +Create the computer account + + +As a user that has write permission on the Samba private directory +(usually root) run: + + net join -U Administrator%password + + + + +Possible errors + + + + "ADS support not compiled in" + Samba must be reconfigured (remove config.cache) and recompiled + (make clean all install) after the kerberos libs and headers are installed. + + + net join prompts for user name + You need to login to the domain using kinit + USERNAME@REALM. + USERNAME must be a user who has rights to add a machine + to the domain. + + + + + + + + +Test your server setup + + +If the join was successful, you will see a new computer account with the +NetBIOS name of your Samba server in Active Directory (in the "Computers" +folder under Users and Computers. + + + +On a Windows 2000 client try net use * \\server\share. You should +be logged in with kerberos without needing to know a password. If +this fails then run klist tickets. Did you get a ticket for the +server? Does it have an encoding type of DES-CBC-MD5 ? + + + + + +Testing with &smbclient; + + +On your Samba server try to login to a Win2000 server or your Samba +server using &smbclient; and kerberos. Use &smbclient; as usual, but +specify the -k option to choose kerberos authentication. + + + + + +Notes + +You must change administrator password at least once after DC +install, to create the right encoding types + +w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in + their defaults DNS setup. Maybe fixed in service packs? + + + -- cgit