From ff78c3bf5c3a73cf90f6517d9b2d6b8c12d22d68 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Feb 2003 22:14:04 +0000 Subject: Regenerate (This used to be commit 1ab5a3b17feb677425bb1071357c3dbabcc46c7e) --- docs/htmldocs/domain-security.html | 227 +++++++++++++++---------------------- 1 file changed, 94 insertions(+), 133 deletions(-) (limited to 'docs/htmldocs/domain-security.html') diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html index 670d96ba5f..fcb40641e4 100644 --- a/docs/htmldocs/domain-security.html +++ b/docs/htmldocs/domain-security.html @@ -2,11 +2,10 @@ Samba as a NT4 domain memberSamba as a NT4 or Win2k domain member

Chapter 9. Samba as a NT4 domain member

Chapter 8. Samba as a NT4 or Win2k domain member

9.1. Joining an NT Domain with Samba 2.2

8.1. Joining an NT Domain with Samba 3.0

Assume you have a Samba 2.x server with a NetBIOS name of +>Assume you have a Samba 3.0 server with a NetBIOS name of SERV1 and are joining an NT domain called +> and are joining an or Win2k NT domain called DOM.

In order to join the domain, first stop all Samba daemons - and run the command:

root# smbpasswd -j DOM -r DOMPDC - -UAdministrator%password

as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The Administrator%password is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:

smbpasswd: Joined domain DOM. -

in your terminal window. See the smbpasswd(8) man page for more details.

There is existing development code to join a domain - without having to create the machine trust account on the PDC - beforehand. This code will hopefully be available soon - in release branches as well.

This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :

/usr/local/samba/private

In Samba 2.0.x, the filename looks like this:

<NT DOMAIN NAME>.<Samba - Server Name>.mac

The .mac suffix stands for machine account - password file. So in our example above, the file would be called:

DOM.SERV1.mac

In Samba 2.2, this file has been replaced with a TDB - (Trivial Database) file named secrets.tdb. -

This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.

Now, before restarting the Samba daemons you must - edit your Firstly, you must edit your security = domain

or + security = ads depending on if the PDC is + NT4 or running Active Directory respectivly.

Next change the password server = *

This method, which was introduced in Samba 2.0.6, - allows Samba to use exactly the same mechanism that NT does. This +>This method, allows Samba to use exactly the same + mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against.

In order to actually join the domain, you must run this + command:

root# net join -S DOMPDC + -UAdministrator%password

as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The Administrator%password is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:

Joined domain DOM. + or Joined 'SERV1' to realm 'MYREALM' +

in your terminal window. See the net(8) man page for more details.

This process joins the server to thedomain + without having to create the machine trust account on the PDC + beforehand.

This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :

/usr/local/samba/private/secrets.tdb

This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.

Finally, restart your Samba daemons and get ready for clients to begin using domain security!

9.2. Samba and Windows 2000 Domains

8.2. Samba and Windows 2000 Domains

Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode.

There is much confusion between the circumstances that require a "mixed" mode -Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode -Win2k domain controller is only needed if Windows NT BDCs must exist in the same -domain. By default, a Win2k DC in "native" mode will still support -NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and -NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.

The steps for adding a Samba 2.2 host to a Win2k domain are the same as those -for adding a Samba server to a Windows NT 4.0 domain. The only exception is that -the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and -Computers" MMC (Microsoft Management Console) plugin.

9.3. Why is this better than security = server?

8.3. Why is this better than security = server?

Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching @@ -387,13 +354,7 @@ CLASS="COMMAND" >And finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. All - this information will allow Samba to be extended in the future into - a mode the developers currently call appliance mode. In this mode, - no local Unix users will be necessary, and Samba will generate Unix - uids and gids from the information passed back from the PDC when a - user is authenticated, making a Samba server truly plug and play - in an NT domain environment. Watch for this code soon.