From dfdc9b19f8d0ad5cde6657db6b76b628f5cb9ce2 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 25 Apr 2003 15:49:02 +0000 Subject: Adding edits from Vance Lankhaar. (This used to be commit a7788bc3b9ae4aec48bf94ed446e6bc0668863bf) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 40 ++++++++------- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 10 ++-- docs/docbook/projdoc/NetworkBrowsing.sgml | 2 +- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 82 ++++++++++++++++++++++--------- docs/docbook/projdoc/security_level.sgml | 13 ++++- 5 files changed, 99 insertions(+), 48 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index c36f150112..1ee0ab1962 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -19,16 +19,16 @@ Windows2000 KDC. You must use at least the following 3 options in smb.conf: - realm = YOUR.KERBEROS.REALM - security = ADS - encrypt passwords = yes + realm = YOUR.KERBEROS.REALM + security = ADS + encrypt passwords = yes In case samba can't figure out your ads server using your realm name, use the ads server option in smb.conf: - ads server = your.kerberos.server + ads server = your.kerberos.server @@ -49,10 +49,10 @@ In case samba can't figure out your ads server using your realm name, use the The minimal configuration for krb5.conf is: -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } + [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } Test your config by doing a kinit @@ -98,7 +98,9 @@ is only needed if you want kerberos support for &smbd; and &winbindd;. As a user that has write permission on the Samba private directory (usually root) run: -net ads join + + net join -U Administrator%password + @@ -106,16 +108,16 @@ As a user that has write permission on the Samba private directory -"ADS support not compiled in" -Samba must be reconfigured (remove config.cache) and recompiled -(make clean all install) after the kerberos libs and headers are installed. - - -net ads join prompts for user name -You need to login to the domain using kinit -USERNAME@REALM. -USERNAME must be a user who has rights to add a machine -to the domain. + "ADS support not compiled in" + Samba must be reconfigured (remove config.cache) and recompiled + (make clean all install) after the kerberos libs and headers are installed. + + + net join prompts for user name + You need to login to the domain using kinit + USERNAME@REALM. + USERNAME must be a user who has rights to add a machine + to the domain. diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 335e5cc7db..cd4168e446 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -69,9 +69,14 @@ In order to actually join the domain, you must run this command: - root# net rpc join -S DOMPDC + root# net join -S DOMPDC -UAdministrator%password + + If the -S DOMPDC argument is not given then + the domain name will be obtained from smb.conf. + + as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) is DOMPDC. The Administrator%password is @@ -123,8 +128,7 @@ Please refer to the Winbind paper for information on a system to automatically assign UNIX uids and gids to Windows NT Domain users and groups. - This code is available in development branches only at the moment, - but will be moved to release branches soon. + The advantage to domain-level security is that the authentication in domain-level security is passed down the authenticated diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml index e8d1b40710..29768ea42a 100644 --- a/docs/docbook/projdoc/NetworkBrowsing.sgml +++ b/docs/docbook/projdoc/NetworkBrowsing.sgml @@ -8,7 +8,7 @@ Samba / MS Windows Network Browsing Guide -This document contains detailed informataion as well as a fast track guide to +This document contains detailed information as well as a fast track guide to implementing browsing across subnets and / or across workgroups (or domains). WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling except by way of name to address resolution. diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 7295a15875..be7a6d5201 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -169,6 +169,11 @@ Here is an example &smb.conf; for acting as a PDC: netbios name = POGO workgroup = NARNIA + ; User and Machine Account Backends + ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ... + ; mysqlsam, xmlsam, guest + passdb backend = ldapsam, guest + ; we should act as the domain and local master browser os level = 64 preferred master = yes @@ -209,6 +214,20 @@ Here is an example &smb.conf; for acting as a PDC: directory mask = 0700 + +The above parameters make for a full set of parameters that may define the server's mode +of operation. The following parameters are the essentials alone: + + + workgroup = NARNIA + domain logons = Yes + security = User + + +The additional parameters shown in the longer listing above just makes for a +more complete environment. + + There are a couple of points to emphasize in the above configuration. @@ -264,13 +283,13 @@ shared secret with the domain controller. A Windows PDC stores each machine trust account in the Windows Registry. A Samba-3 PDC also has to store machine trust account information -in a suitable back-end data store. With Samba-3 there can be multiple back-ends +in a suitable backend data store. With Samba-3 there can be multiple back-ends for this including: - smbpaswd - the plain ascii file stored used by + smbpasswd - the plain ascii file stored used by earlier versions of Samba. This file configuration option requires a Unix/Linux system account for EVERY entry (ie: both for user and for machine accounts). This file will be located in the private @@ -311,9 +330,16 @@ for this including: -Read the chapter about the User Database +Read the chapter about the User Database for details. + +The new tdbsam and ldapsam account backends store vastly more information than +smbpasswd is capable of. The new backend database includes capacity to specify +per user settings for many parameters, over-riding global settings given in the +smb.conf file. eg: logon drive, logon home, logon path, etc. + + A Samba PDC, however, stores each machine trust account in two parts, as follows: @@ -420,7 +446,7 @@ the corresponding Unix account. equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created to the time which the client joins the domain and changes the password, - your domain is vulnerable to an intruder joining your domain using a + your domain is vulnerable to an intruder joining your domain using a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned! @@ -469,20 +495,22 @@ version of Windows. Windows 2000 - When the user elects to join the client to a domain, Windows prompts for - an account and password that is privileged to join the domain. A - Samba administrative account (i.e., a Samba account that has root - privileges on the Samba server) must be entered here; the - operation will fail if an ordinary user account is given. - The password for this account should be - set to a different password than the associated - /etc/passwd entry, for security - reasons. - - The session key of the Samba administrative account acts as an + + When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A Samba administrative + account (i.e., a Samba account that has root privileges on the Samba server) must be + entered here; the operation will fail if an ordinary user account is given. + The password for this account should be set to a different password than the associated + /etc/passwd entry, for security reasons. + + + + The session key of the Samba administrative account acts as an encryption key for setting the password of the machine trust account. The machine trust account will be created on-the-fly, or - updated if it already exists. + updated if it already exists. + + Windows NT @@ -522,11 +550,9 @@ systems?) won't create a user with a '$' in their name. -The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use vipw to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique User ID ! +The problem is only in the program used to make the entry. Once made, it works perfectly. +Create a user without the '$' using vipw to edit the entry, adding +the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID! @@ -547,7 +573,7 @@ will remove all network drive connections: -Further, if the machine is a already a 'member of a workgroup' that +Further, if the machine is already a 'member of a workgroup' that is the same name as the domain you are joining (bad idea) you will get this message. Change the workgroup name to something else, it does not matter what, reboot, and try again. @@ -569,8 +595,18 @@ is changed. The most common cause of a change in domain SID is when the domain name and/or the server name (netbios name) is changed. The only way to correct the problem is to restore the original domain SID or remove the domain client from the domain and rejoin. The domain -SID may be reset using either the smbpasswd or rpcclient utilities. +SID may be reset using either the net or rpcclient utilities. + + + +The reset or change the domain SID you can use the net command as follows: + + + net getlocalsid 'OLDNAME' + net setlocalsid 'SID' + + diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index e840ff6c17..a59392bbac 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -128,6 +128,13 @@ That real authentication server can be another Samba server or can be a Windows NT server, the later natively capable of encrypted password support. + +Server level security is incompatible with what is known +as schannel or "sign and seal" protocols. This means that +if you want to use server level security you must disable +the use of "sign and seal" on all machines on your network. + + Configuring Samba for Seemless Windows Network Integration @@ -270,7 +277,7 @@ all authentication requests to be passed through to the domain controllers. Samba as a member of an MS Windows NT security domain -This method involves additon of the following paramters in the &smb.conf; file: +This method involves addition of the following parameters in the &smb.conf; file: @@ -297,7 +304,9 @@ MS Windows NT security domain. This is done as follows: Next, on the Linux system execute: - smbpasswd -r PDC_NAME -j DOMAIN_NAME + smbpasswd -r PDC_NAME -j DOMAIN_NAME (samba 2.x) + + net join -U administrator%password (samba-3) -- cgit