Adminstrators of Microsoft networks often refer to there being three different type of servers:
Stand Alone Server
Domain Member Server
Domain Controller
Primary Domain Controller
Backup Domain Controller
ADS Domain Controller
A network administrator who is familiar with these terms and who wishes to migrate to or use Samba will want to know what these terms mean within a Samba context.
The term stand alone server means that the server will provide local authentication and access control for all resources that are available from it. In general this means that there will be a local user database. In more technical terms, it means that resources on the machine will either be made available in either SHARE mode or in USER mode. SHARE mode and USER mode security are documented under discussions regarding "security mode". The smb.conf configuration parameters that control security mode are: "security = user" and "security = share".
No special action is needed other than to create user accounts. Stand-alone servers do NOT provide network logon services, meaning that machines that use this server do NOT perform a domain logon but instead make use only of the MS Windows logon which is local to the MS Windows workstation/server.
Samba tends to blur the distinction a little in respect of what is a stand alone server. This is because the authentication database may be local or on a remote server, even if from the samba protocol perspective the samba server is NOT a member of a domain security context.
Through the use of PAM (Pluggable Authentication Modules) and nsswitch (the name service switcher) the source of authentication may reside on another server. We would be inclined to call this the authentication server. This means that the samba server may use the local Unix/Linux system password database (/etc/passwd or /etc/shadow), may use a local smbpasswd file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB server for authentication.
This mode of server operation involves the samba machine being made a member of a domain security context. This means by definition that all user authentication will be done from a centrally defined authentication regime. The authentication regime may come from an NT3/4 style (old domain technology) server, or it may be provided from an Active Directory server (ADS) running on MS Windows 2000 or later.
Of course it should be clear that the authentication back end itself could be from any distributed directory architecture server that is supported by Samba. This can be LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc.
Please refer to the section on Howto configure Samba as a Primary Domain Controller and for more information regarding how to create a domain machine account for a domain member server as well as for information regading how to enable the samba domain member machine to join the domain and to be fully trusted by it.
Over the years public perceptions of what Domain Control really is has taken on an almost mystical nature. Before we branch into a brief overview of what Domain Control is the following types of controller are known:
Primary Domain Controller |
Backup Domain Controller |
ADS Domain Controller |
The Primary Domain Controller or PDC plays an important role in the MS Windows NT3 and NT4 Domain Control architecture, but not in the manner that so many expect. The PDC seeds the Domain Control database (a part of the Windows registry) and it plays a key part in synchronisation of the domain authentication database.
New to Samba-3.0.0 is the ability to use a back-end file that holds the same type of data as the NT4 style SAM (Security Account Manager) database (one of the registry files). The samba-3.0.0 SAM can be specified via the smb.conf file parameter "passwd backend" and valid options include smbpasswd tdbsam ldapsam nisplussam plugin unixsam. The smbpasswd, tdbsam and ldapsam options can have a "_nua" suffix to indicate that No Unix Accounts need to be created. In other words, the Samba SAM will be independant of Unix/Linux system accounts, provided a uid range is defined from which SAM accounts can be created.
The Backup Domain Controller or BDC plays a key role in servicing network authentication requests. The BDC is biased to answer logon requests so that on a network segment that has a BDC and a PDC the BDC will be most likely to service network logon requests. The PDC will answer network logon requests when the BDC is too busy (high load). A BDC can be promoted to a PDC. If the PDC is on line at the time that the BDC is promoted to PDC the previous PDC is automatically demoted to a BDC.
At this time Samba is NOT capable of acting as an ADS Domain Controller.