From bf87f30253438bb31b6bcce66673b38b06e810d3 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 6 May 2003 06:03:58 +0000 Subject: Hackety, hackety, hack. More edits. (This used to be commit b41b42ca31486aba39edb726fc30b0f48b618e3f) --- docs/docbook/projdoc/DOMAIN_MEMBER.xml | 222 ++++++++++++++++++++++++++++++++- 1 file changed, 221 insertions(+), 1 deletion(-) (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.xml') diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index 6a3ef28b55..f12936a215 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -179,7 +179,227 @@ LinuxWorld as the article Doing the NIS/NT Samba. + + + +Machine Trust Accounts and Domain Membership + + +A machine trust account is an account that is used to authenticate a client machine +(rather than a user) to the Domain Controller server. In Windows terminology, +this is known as a "Computer Account." + + +The password of a machine trust account acts as the shared secret for +secure communication with the Domain Controller. This is a security +feature to prevent an unauthorized machine with the same NetBIOS name +from joining the domain and gaining access to domain user/group +accounts. Windows NT, 200x, XP Professional clients use machine trust +accounts, but Windows 9x / Me / XP Home clients do not. Hence, a +Windows 9x / Me / XP Home client is never a true member of a domain +because it does not possess a machine trust account, and thus has no +shared secret with the domain controller. + + +A Windows NT4 PDC stores each machine trust account in the Windows +Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, +the new repository for machine trust accounts. + + + +A Samba PDC, however, stores each machine trust account in two parts, +as follows: + + + A Samba account, stored in the same location as user + LanMan and NT password hashes (currently smbpasswd). + The Samba account possesses and uses only the NT password hash. + + A corresponding Unix account, typically stored in + /etc/passwd. (Future releases will alleviate the need to + create /etc/passwd entries.) + + + + +There are two ways to create machine trust accounts: + + + + Manual creation. Both the Samba and corresponding + Unix account are created by hand. + + "On-the-fly" creation. The Samba machine trust + account is automatically created by Samba at the time the client + is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be + created automatically or manually. + + + + + +Manual Creation of Machine Trust Accounts + + +The first step in manually creating a machine trust account is to +manually create the corresponding Unix account in +/etc/passwd. This can be done using +vipw or other 'add user' command that is normally +used to create new Unix accounts. The following is an example for a +Linux based Samba server: + + + + root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine +nickname" -s /bin/false machine_name$ + + +root# passwd -l machine_name$ + + +On *BSD systems, this can be done using the 'chpass' utility: + + +root# chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin" + + + +The /etc/passwd entry will list the machine name +with a "$" appended, won't have a password, will have a null shell and no +home directory. For example a machine named 'doppy' would have an +/etc/passwd entry like this: + + + +doppy$:x:505:501:machine_nickname:/dev/null:/bin/false + + + +Above, machine_nickname can be any +descriptive name for the client, i.e., BasementComputer. +machine_name absolutely must be the NetBIOS +name of the client to be joined to the domain. The "$" must be +appended to the NetBIOS name of the client or Samba will not recognize +this as a machine trust account. + + + +Now that the corresponding Unix account has been created, the next step is to create +the Samba account for the client containing the well-known initial +machine trust account password. This can be done using the smbpasswd(8) command +as shown here: + + + +root# smbpasswd -a -m machine_name + + +where machine_name is the machine's NetBIOS +name. The RID of the new machine account is generated from the UID of +the corresponding Unix account. + + + + Join the client to the domain immediately + + + Manually creating a machine trust account using this method is the + equivalent of creating a machine trust account on a Windows NT PDC using + the "Server Manager". From the time at which the account is created + to the time which the client joins the domain and changes the password, + your domain is vulnerable to an intruder joining your domain using + a machine with the same NetBIOS name. A PDC inherently trusts + members of the domain and will serve out a large degree of user + information to such clients. You have been warned! + + + + + + +"On-the-Fly" Creation of Machine Trust Accounts + + +The second (and recommended) way of creating machine trust accounts is +simply to allow the Samba server to create them as needed when the client +is joined to the domain. + +Since each Samba machine trust account requires a corresponding +Unix account, a method for automatically creating the +Unix account is usually supplied; this requires configuration of the +add machine script +option in smb.conf. This +method is not required, however; corresponding Unix accounts may also +be created manually. + + + + +Below is an example for a RedHat Linux system. + + + +[global] + # <...remainder of parameters...> + add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u + + + + + +Joining the Client to the Domain + + +The procedure for joining a client to the domain varies with the version of Windows. + + + +Windows 2000 + + + When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A Samba administrative + account (i.e., a Samba account that has root privileges on the Samba server) must be + entered here; the operation will fail if an ordinary user account is given. + The password for this account should be set to a different password than the associated + /etc/passwd entry, for security reasons. + + + + The session key of the Samba administrative account acts as an + encryption key for setting the password of the machine trust + account. The machine trust account will be created on-the-fly, or + updated if it already exists. + + + + +Windows NT + + If the machine trust account was created manually, on the + Identification Changes menu enter the domain name, but do not + check the box "Create a Computer Account in the Domain." In this case, + the existing machine trust account is used to join the machine to + the domain. + + If the machine trust account is to be created + on-the-fly, on the Identification Changes menu enter the domain + name, and check the box "Create a Computer Account in the Domain." In + this case, joining the domain proceeds as above for Windows 2000 + (i.e., you must supply a Samba administrative account when + prompted). + + +Samba + Joining a samba client to a domain is documented in + the Domain Member chapter. + + + + @@ -196,7 +416,7 @@ Windows2000 KDC. You must use at least the following 3 options in smb.conf: - realm = YOUR.KERBEROS.REALM + realm = your.kerberos.REALM security = ADS encrypt passwords = yes -- cgit