From e2e8575da9277b0b67ac789461f4a91826c7c0eb Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sun, 19 Jun 2005 03:40:21 +0000 Subject: More updates. (This used to be commit cc6daca7bbab5dd148ab50e8080336bbd8392f53) --- docs/Samba3-HOWTO/TOSHARG-PDC.xml | 73 ++++++++++++++++++++++++++++++++------- 1 file changed, 60 insertions(+), 13 deletions(-) (limited to 'docs') diff --git a/docs/Samba3-HOWTO/TOSHARG-PDC.xml b/docs/Samba3-HOWTO/TOSHARG-PDC.xml index 8b8cd7f7bb..9639221a2a 100644 --- a/docs/Samba3-HOWTO/TOSHARG-PDC.xml +++ b/docs/Samba3-HOWTO/TOSHARG-PDC.xml @@ -702,6 +702,7 @@ a more complete explanation. Samba ADS Domain Control +active directory Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as an Active Directory PDC. The protocols for some of the functionality of Active Directory domain controllers has been partially implemented on an experimental only basis. Please do not expect Samba-3 to support these protocols. Do not @@ -712,6 +713,8 @@ someday or maybe never! +domain controllers +active directory To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style domain controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it @@ -725,6 +728,7 @@ enough for all to understand. Domain and Network Logon Configuration +domain logon The subject of network or domain logons is discussed here because it forms an integral part of the essential functionality that is provided by a domain controller. @@ -733,6 +737,7 @@ an integral part of the essential functionality that is provided by a domain con Domain Network Logon Service +domain logon All domain controllers must run the netlogon service (domain logons in Samba). One domain controller must be configured with Yes (the PDC); on all BDCs set the parameter No. @@ -787,6 +792,11 @@ Microsoft, and we recommend that you do not do that. The Special Case of Windows 9x/Me +domain +workgroup +authentication +browsing +rights A domain and a workgroup are exactly the same in terms of network browsing. The difference is that a distributable authentication database is associated with a domain, for secure login access to a @@ -796,6 +806,7 @@ now in the same way as MS Windows NT/200x. +browsing The SMB client logging on to a domain has an expectation that every other server in the domain should accept the same authentication information. Network browsing functionality of domains and workgroups is identical and @@ -804,6 +815,9 @@ It should be noted that browsing is totally orthogonal to logon support. +single-logon +domain logons +network logon Issues related to the single-logon network model are discussed in this section. Samba supports domain logons, network logon scripts, and user profiles for MS Windows for Workgroups and MS Windows 9x/Me clients, @@ -811,14 +825,12 @@ which are the focus of this section. -When an SMB client in a domain wishes to log on, it broadcasts requests for a -logon server. The first one to reply gets the job and validates its -password using whatever mechanism the Samba administrator has installed. -It is possible (but ill advised) to create a domain where the user -database is not shared between servers; that is, they are effectively workgroup -servers advertising themselves as participating in a domain. This -demonstrates how authentication is quite different from but closely -involved with domains. +broadcast request +When an SMB client in a domain wishes to log on, it broadcasts requests for a logon server. The first one to +reply gets the job and validates its password using whatever mechanism the Samba administrator has installed. +It is possible (but ill advised) to create a domain where the user database is not shared between servers; +that is, they are effectively workgroup servers advertising themselves as participating in a domain. This +demonstrates how authentication is quite different from but closely involved with domains. @@ -828,18 +840,19 @@ the network and download their preferences, desktop, and start menu. -MS Windows XP Home edition is not able to join a domain and does not permit -the use of domain logons. +MS Windows XP Home edition is not able to join a domain and does not permit the use of domain logons. -Before launching into the configuration instructions, it is -worthwhile to look at how a Windows 9x/Me client performs a logon: +Before launching into the configuration instructions, it is worthwhile to look at how a Windows 9x/Me client +performs a logon: + DOMAIN<#1C> + logon server The client broadcasts (to the IP broadcast address of the subnet it is in) a NetLogon request. This is sent to the NetBIOS name DOMAIN<#1C> at the NetBIOS layer. The client chooses the first response it receives, which @@ -852,6 +865,9 @@ worthwhile to look at how a Windows 9x/Me client performs a logon: + IPC$ + SMBsessetupX + SMBtconX The client connects to that server, logs on (does an SMBsessetupX) and then connects to the IPC$ share (using an SMBtconX). @@ -859,6 +875,7 @@ worthwhile to look at how a Windows 9x/Me client performs a logon: + NetWkstaUserLogon The client does a NetWkstaUserLogon request, which retrieves the name of the user's logon script. @@ -874,6 +891,8 @@ worthwhile to look at how a Windows 9x/Me client performs a logon: + NetUserGetInfo + profile The client sends a NetUserGetInfo request to the server to retrieve the user's home share, which is used to search for profiles. Since the response to the NetUserGetInfo request does not contain much more than @@ -884,6 +903,7 @@ worthwhile to look at how a Windows 9x/Me client performs a logon: + profiles The client connects to the user's home share and searches for the user's profile. As it turns out, you can specify the user's home share as a share name and path. For example, \\server\fred\.winprofile. @@ -893,6 +913,7 @@ worthwhile to look at how a Windows 9x/Me client performs a logon: + CONFIG.POL The client then disconnects from the user's home share and reconnects to the NetLogon share and looks for CONFIG.POL, the policies file. If this is found, it is read and implemented. @@ -906,6 +927,8 @@ The main difference between a PDC and a Windows 9x/Me logon server configuration + passwordplaintext + plaintext password Password encryption is not required for a Windows 9x/Me logon server. But note that beginning with MS Windows 98 the default setting is that plaintext password support is disabled. It can be re-enabled with the registry @@ -913,16 +936,19 @@ The main difference between a PDC and a Windows 9x/Me logon server configuration + machine trust account Windows 9x/Me clients do not require and do not use Machine Trust Accounts. +network logon services A Samba PDC will act as a Windows 9x/Me logon server; after all, it does provide the network logon services that MS Windows 9x/Me expect to find. +sniffer Use of plaintext passwords is strongly discouraged. Where used they are easily detected using a sniffer tool to examine network traffic. @@ -934,6 +960,9 @@ using a sniffer tool to examine network traffic. Security Mode and Master Browsers +security mode +user-mode security +share-mode security There are a few comments to make in order to tie up some loose ends. There has been much debate over the issue of whether it is okay to configure Samba as a domain controller that operates with security mode other than user-mode. The only security mode that will not work due to technical reasons is share-mode security. Domain @@ -941,6 +970,13 @@ and server mode security are really just a variation on SMB user-level security. +DOMAIN<1C> +DOMAIN<#1B> +DMB +PDC +NetBIOS name +domain controller +election Actually, this issue is also closely tied to the debate on whether Samba must be the DMB for its workgroup when operating as a domain controller. In a pure Microsoft Windows NT domain, the PDC wins the election to be the DMB, and then registers the DOMAIN<#1B> NetBIOS name. This is not the name used by Windows clients @@ -954,6 +990,11 @@ where a Samba server is the PDC it is wise to configure the Samba domain control +DOMAIN<1D> +synchronization +domain control +browse list management +networklogonservice SMB/CIFS servers that register the DOMAIN<1C> name do so because they provide the network logon service. Server that register the DOMAIN<1B> name are DMBs &smbmdash; meaning that they are responsible for browse list synchronization across all machines that have registered the DOMAIN<1D> name. The later @@ -989,14 +1030,19 @@ This is the only officially supported mode of operation. Common Errors - <quote>$</quote> Cannot Be Included in Machine Name +<quote>$</quote> Cannot Be Included in Machine Name + +BSD +FreeBSD +/etc/passwd A machine account, typically stored in /etc/passwd, takes the form of the machine name with a $ appended. Some BSD systems will not create a user with a $ in the name. Recent versions of FreeBSD have removed this limitation, but older releases are still in common use. +vipw The problem is only in the program used to make the entry. Once made, it works perfectly. Create a user without the $. Then use vipw to edit the entry, adding the $. Or create the whole entry with vipw if you like; make sure you use a unique user login ID. @@ -1016,6 +1062,7 @@ important for security reasons. Joining Domain Fails Because of Existing Machine Account +join domain I get told, `You already have a connection to the Domain....' or `Cannot join domain, the credentials supplied conflict with an existing set...' when creating a Machine Trust Account. -- cgit