/release/src/router/samba/docs/htmldocs/DOMAIN_MEMBER.html
HTML | 127 lines | 116 code | 11 blank | 0 comment | 0 complexity | 47d4bc9d6ace963d24e6a7328f7f9805 MD5 | raw file
- <html><head><title>Joining an NT Domain with Samba 2.0</title>
- <link rev="made" href="mailto:samba@samba.org">
- </head>
- <body>
- <hr>
- <h1>Joining an NT Domain with Samba 2.0</h1>
- <h2>Jeremy Allison, Samba Team</h2>
- <h2>7th October 1999</h2>
- <h1>Table of Contents </h1><p></p>
-
- <p><hr><p><br>
- <p><center>Joining an NT Domain with Samba 2.0 </center>
- <center>----------------------------------- </center>
- <p>In order for a Samba-2 server to join an NT domain, you must first add
- the NetBIOS name of the Samba server to the NT domain on the PDC using
- Server Manager for Domains. This creates the machine account in the
- domain (PDC) SAM. Note that you should add the Samba server as a "Windows
- NT Workstation or Server", <em>NOT</em> as a Primary or backup domain controller.
- <p>Assume you have a Samba-2 server with a NetBIOS name of <code>SERV1</code> and are
- joining an NT domain called <code>DOM</code>, which has a PDC with a NetBIOS name
- of <code>DOMPDC</code> and two backup domain controllers with NetBIOS names <code>DOMBDC1</code>
- and <code>DOMBDC2</code>.
- <p>In order to join the domain, first stop all Samba daemons and run the
- command
- <p><code>smbpasswd -j DOM -r DOMPDC</code>
- <p>as we are joining the domain DOM and the PDC for that domain (the only
- machine that has write access to the domain SAM database) is DOMPDC. If this is
- successful you will see the message:
- <p><code>smbpasswd: Joined domain DOM.</code>
- <p>in your terminal window. See the <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a>
- man page for more details.
- <p>This command goes through the machine account password change
- protocol, then writes the new (random) machine account password for
- this Samba server into a file in the same directory in which an
- smbpasswd file would be stored - normally :
- <p><code>/usr/local/samba/private</code>
- <p>The filename looks like this:
- <p><code><NT DOMAIN NAME>.<Samba Server Name>.mac</code>
- <p>The <code>.mac</code> suffix stands for machine account password file. So in
- our example above, the file would be called:
- <p><code>DOM.SERV1.mac</code>
- <p>This file is created and owned by root and is not readable by any
- other user. It is the key to the domain-level security for your
- system, and should be treated as carefully as a shadow password file.
- <p>Now, before restarting the Samba daemons you must edit your
- <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file to tell Samba it should now
- use domain security.
- <p>Change (or add) your
- <p><a href="smb.conf.5.html#security"><strong>"security ="</strong></a>
- <p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section of your
- <a href="smb.conf.5.html"><strong>smb.conf</strong></a> to read:
- <p><code>security = domain</code>
- <p>Next change the
- <p><a href="smb.conf.5.html#workgroup"><strong>"workgroup ="</strong></a>
- <p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read:
- <p><code>workgroup = DOM</code>
- <p>as this is the name of the domain we are joining.
- <p>You must also have the parameter <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypt passwords"</strong></a>
- set to <code>"yes"</code> in order for your users to authenticate to the
- NT PDC.
- <p>Finally, add (or modify) a:
- <p><a href="smb.conf.5.html#passwordserver"><strong>"password server ="</strong></a>
- <p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read:
- <p><code>password server = DOMPDC DOMBDC1 DOMBDC2</code>
- <p>These are the primary and backup domain controllers Samba will attempt
- to contact in order to authenticate users. Samba will try to contact
- each of these servers in order, so you may want to rearrange this list
- in order to spread out the authentication load among domain
- controllers.
- <p>Alternatively, if you want smbd to automatically determine the
- list of Domain controllers to use for authentication, you may set this line to be :
- <p><code>password server = *</code>
- <p>This method, which is new in Samba 2.0.6 and above, allows Samba
- to use exactly the same mechanism that NT does. This method either broadcasts or
- uses a WINS database in order to find domain controllers to
- authenticate against.
- <p>Finally, restart your Samba daemons and get ready for clients to begin
- using domain security!
- <p><center>Why is this better than security = server? </center>
- <center>------------------------------------------ </center>
- <p>Currently, domain security in Samba doesn't free you from having to
- create local Unix users to represent the users attaching to your
- server. This means that if domain user <code>DOM\fred</code> attaches to your
- domain security Samba server, there needs to be a local Unix user fred
- to represent that user in the Unix filesystem. This is very similar to
- the older Samba security mode <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a>, where Samba would pass
- through the authentication request to a Windows NT server in the same
- way as a Windows 95 or Windows 98 server would.
- <p>The advantage to domain-level security is that the authentication in
- domain-level security is passed down the authenticated RPC channel in
- exactly the same way that an NT server would do it. This means Samba
- servers now participate in domain trust relationships in exactly the
- same way NT servers do (i.e., you can add Samba servers into a
- resource domain and have the authentication passed on from a resource
- domain PDC to an account domain PDC.
- <p>In addition, with <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> every Samba daemon on a
- server has to keep a connection open to the authenticating server for
- as long as that daemon lasts. This can drain the connection resources
- on a Microsoft NT server and cause it to run out of available
- connections. With <a href="smb.conf.5.html#securityequaldomain"><strong>"security =domain"</strong></a>, however, the Samba
- daemons connect to the PDC/BDC only for as long as is necessary to
- authenticate the user, and then drop the connection, thus conserving
- PDC connection resources.
- <p>And finally, acting in the same manner as an NT server authenticating
- to a PDC means that as part of the authentication reply, the Samba
- server gets the user identification information such as the user SID,
- the list of NT groups the user belongs to, etc. All this information
- will allow Samba to be extended in the future into a mode the
- developers currently call appliance mode. In this mode, no local Unix
- users will be necessary, and Samba will generate Unix uids and gids
- from the information passed back from the PDC when a user is
- authenticated, making a Samba server truly plug and play in an NT
- domain environment. Watch for this code soon.
- <p><em>NOTE:</em> Much of the text of this document was first published in the
- Web magazine <a href="http://www.linuxworld.com"><strong>"LinuxWorld"</strong></a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"><strong>"Doing the NIS/NT Samba"</strong></a>.
- </body>
- </html>