From 53b16591832dc07e9e15a9078f08a899503bbaa6 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Wed, 2 Oct 2002 14:08:40 +0000
Subject: newly generated docs; removing old ones (This used to be commit
 d72538fd14b8d00ea07f19464b4f3a3d93445cbf)

---
 docs/htmldocs/domain-security.html | 475 +++++++++++++++++++++++++++++++++++++
 1 file changed, 475 insertions(+)
 create mode 100644 docs/htmldocs/domain-security.html

(limited to 'docs/htmldocs/domain-security.html')

diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html
new file mode 100644
index 0000000000..653bbed47e
--- /dev/null
+++ b/docs/htmldocs/domain-security.html
@@ -0,0 +1,475 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>security = domain in Samba 2.x</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
+"><LINK
+REL="HOME"
+TITLE="SAMBA Project Documentation"
+HREF="Samba-HOWTO.html"><LINK
+REL="PREVIOUS"
+TITLE="Security levels"
+HREF="securitylevels.html"><LINK
+REL="NEXT"
+TITLE="Unified Logons between Windows NT and UNIX using Winbind"
+HREF="winbind.html"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>SAMBA Project Documentation</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="securitylevels.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="winbind.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="DOMAIN-SECURITY">Chapter 10. security = domain in Samba 2.x</H1
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1272">10.1. Joining an NT Domain with Samba 2.2</H1
+><P
+>Assume you have a Samba 2.x server with a NetBIOS name of 
+	<TT
+CLASS="CONSTANT"
+>SERV1</TT
+> and are joining an NT domain called
+	<TT
+CLASS="CONSTANT"
+>DOM</TT
+>, which has a PDC with a NetBIOS name
+	of <TT
+CLASS="CONSTANT"
+>DOMPDC</TT
+> and two backup domain controllers 
+	with NetBIOS names <TT
+CLASS="CONSTANT"
+>DOMBDC1</TT
+> and <TT
+CLASS="CONSTANT"
+>DOMBDC2
+	</TT
+>.</P
+><P
+>In order to join the domain, first stop all Samba daemons 
+	and run the command:</P
+><P
+><TT
+CLASS="PROMPT"
+>root# </TT
+><TT
+CLASS="USERINPUT"
+><B
+>smbpasswd -j DOM -r DOMPDC
+	-U<TT
+CLASS="REPLACEABLE"
+><I
+>Administrator%password</I
+></TT
+></B
+></TT
+></P
+><P
+>as we are joining the domain DOM and the PDC for that domain 
+	(the only machine that has write access to the domain SAM database) 
+	is DOMPDC. The <TT
+CLASS="REPLACEABLE"
+><I
+>Administrator%password</I
+></TT
+> is 
+	the login name and password for an account which has the necessary 
+	privilege to add machines to the domain.  If this is successful 
+	you will see the message:</P
+><P
+><TT
+CLASS="COMPUTEROUTPUT"
+>smbpasswd: Joined domain DOM.</TT
+>
+	</P
+><P
+>in your terminal window. See the <A
+HREF="smbpasswd.8.html"
+TARGET="_top"
+>	smbpasswd(8)</A
+> man page for more details.</P
+><P
+>There is existing development code to join a domain
+	without having to create the machine trust account on the PDC
+	beforehand.  This code will hopefully be available soon
+	in release branches as well.</P
+><P
+>This command goes through the machine account password 
+	change protocol, then writes the new (random) machine account 
+	password for this Samba server into a file in the same directory 
+	in which an smbpasswd file would be stored - normally :</P
+><P
+><TT
+CLASS="FILENAME"
+>/usr/local/samba/private</TT
+></P
+><P
+>In Samba 2.0.x, the filename looks like this:</P
+><P
+><TT
+CLASS="FILENAME"
+><TT
+CLASS="REPLACEABLE"
+><I
+>&lt;NT DOMAIN NAME&gt;</I
+></TT
+>.<TT
+CLASS="REPLACEABLE"
+><I
+>&lt;Samba 
+	Server Name&gt;</I
+></TT
+>.mac</TT
+></P
+><P
+>The <TT
+CLASS="FILENAME"
+>.mac</TT
+> suffix stands for machine account 
+	password file. So in our example above, the file would be called:</P
+><P
+><TT
+CLASS="FILENAME"
+>DOM.SERV1.mac</TT
+></P
+><P
+>In Samba 2.2, this file has been replaced with a TDB 
+	(Trivial Database) file named <TT
+CLASS="FILENAME"
+>secrets.tdb</TT
+>.
+	</P
+><P
+>This file is created and owned by root and is not 
+	readable by any other user. It is the key to the domain-level 
+	security for your system, and should be treated as carefully 
+	as a shadow password file.</P
+><P
+>Now, before restarting the Samba daemons you must 
+	edit your <A
+HREF="smb.conf.5.html"
+TARGET="_top"
+><TT
+CLASS="FILENAME"
+>smb.conf(5)</TT
+>
+	</A
+> file to tell Samba it should now use domain security.</P
+><P
+>Change (or add) your <A
+HREF="smb.conf.5.html#SECURITY"
+TARGET="_top"
+>	<TT
+CLASS="PARAMETER"
+><I
+>security =</I
+></TT
+></A
+> line in the [global] section 
+	of your smb.conf to read:</P
+><P
+><B
+CLASS="COMMAND"
+>security = domain</B
+></P
+><P
+>Next change the <A
+HREF="smb.conf.5.html#WORKGROUP"
+TARGET="_top"
+><TT
+CLASS="PARAMETER"
+><I
+>	workgroup =</I
+></TT
+></A
+> line in the [global] section to read: </P
+><P
+><B
+CLASS="COMMAND"
+>workgroup = DOM</B
+></P
+><P
+>as this is the name of the domain we are joining. </P
+><P
+>You must also have the parameter <A
+HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
+TARGET="_top"
+>	<TT
+CLASS="PARAMETER"
+><I
+>encrypt passwords</I
+></TT
+></A
+> set to <TT
+CLASS="CONSTANT"
+>yes
+	</TT
+> in order for your users to authenticate to the NT PDC.</P
+><P
+>Finally, add (or modify) a <A
+HREF="smb.conf.5.html#PASSWORDSERVER"
+TARGET="_top"
+>	<TT
+CLASS="PARAMETER"
+><I
+>password server =</I
+></TT
+></A
+> line in the [global]
+	section to read: </P
+><P
+><B
+CLASS="COMMAND"
+>password server = DOMPDC DOMBDC1 DOMBDC2</B
+></P
+><P
+>These are the primary and backup domain controllers Samba 
+	will attempt to contact in order to authenticate users. Samba will 
+	try to contact each of these servers in order, so you may want to 
+	rearrange this list in order to spread out the authentication load 
+	among domain controllers.</P
+><P
+>Alternatively, if you want smbd to automatically determine 
+	the list of Domain controllers to use for authentication, you may 
+	set this line to be :</P
+><P
+><B
+CLASS="COMMAND"
+>password server = *</B
+></P
+><P
+>This method, which was introduced in Samba 2.0.6, 
+	allows Samba to use exactly the same mechanism that NT does. This 
+	method either broadcasts or uses a WINS database in order to
+	find domain controllers to authenticate against.</P
+><P
+>Finally, restart your Samba daemons and get ready for 
+	clients to begin using domain security!</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1336">10.2. Samba and Windows 2000 Domains</H1
+><P
+>Many people have asked regarding the state of Samba's ability to participate in
+a Windows 2000 Domain.  Samba 2.2 is able to act as a member server of a Windows
+2000 domain operating in mixed or native mode.</P
+><P
+>There is much confusion between the circumstances that require a "mixed" mode
+Win2k DC and a when this host can be switched to "native" mode.  A "mixed" mode
+Win2k domain controller is only needed if Windows NT BDCs must exist in the same
+domain.  By default, a Win2k DC in "native" mode will still support
+NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and 
+NT 4.0.  Samba has the same requirements as a Windows NT 4.0 member server.</P
+><P
+>The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
+for adding a Samba server to a Windows NT 4.0 domain. The only exception is that 
+the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and 
+Computers" MMC (Microsoft Management Console) plugin.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN1341">10.3. Why is this better than security = server?</H1
+><P
+>Currently, domain security in Samba doesn't free you from 
+	having to create local Unix users to represent the users attaching 
+	to your server. This means that if domain user <TT
+CLASS="CONSTANT"
+>DOM\fred
+	</TT
+> attaches to your domain security Samba server, there needs 
+	to be a local Unix user fred to represent that user in the Unix 
+	filesystem. This is very similar to the older Samba security mode 
+	<A
+HREF="smb.conf.5.html#SECURITYEQUALSSERVER"
+TARGET="_top"
+>security = server</A
+>, 
+	where Samba would pass through the authentication request to a Windows 
+	NT server in the same way as a Windows 95 or Windows 98 server would.
+	</P
+><P
+>Please refer to the <A
+HREF="winbind.html"
+TARGET="_top"
+>Winbind 
+	paper</A
+> for information on a system to automatically
+	assign UNIX uids and gids to Windows NT Domain users and groups.
+	This code is available in development branches only at the moment,
+	but will be moved to release branches soon.</P
+><P
+>The advantage to domain-level security is that the 
+	authentication in domain-level security is passed down the authenticated 
+	RPC channel in exactly the same way that an NT server would do it. This 
+	means Samba servers now participate in domain trust relationships in 
+	exactly the same way NT servers do (i.e., you can add Samba servers into 
+	a resource domain and have the authentication passed on from a resource
+	domain PDC to an account domain PDC.</P
+><P
+>In addition, with <B
+CLASS="COMMAND"
+>security = server</B
+> every Samba 
+	daemon on a server has to keep a connection open to the 
+	authenticating server for as long as that daemon lasts. This can drain 
+	the connection resources on a Microsoft NT server and cause it to run 
+	out of available connections. With <B
+CLASS="COMMAND"
+>security = domain</B
+>, 
+	however, the Samba daemons connect to the PDC/BDC only for as long 
+	as is necessary to authenticate the user, and then drop the connection, 
+	thus conserving PDC connection resources.</P
+><P
+>And finally, acting in the same manner as an NT server 
+	authenticating to a PDC means that as part of the authentication 
+	reply, the Samba server gets the user identification information such 
+	as the user SID, the list of NT groups the user belongs to, etc. All 
+	this information will allow Samba to be extended in the future into 
+	a mode the developers currently call appliance mode. In this mode, 
+	no local Unix users will be necessary, and Samba will generate Unix 
+	uids and gids from the information passed back from the PDC when a 
+	user is authenticated, making a Samba server truly plug and play 
+	in an NT domain environment. Watch for this code soon.</P
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>NOTE:</I
+></SPAN
+> Much of the text of this document 
+	was first published in the Web magazine <A
+HREF="http://www.linuxworld.com"
+TARGET="_top"
+> 	
+	LinuxWorld</A
+> as the article <A
+HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
+TARGET="_top"
+>Doing 
+	the NIS/NT Samba</A
+>.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="securitylevels.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Samba-HOWTO.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="winbind.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Security levels</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Unified Logons between Windows NT and UNIX using Winbind</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
-- 
cgit