diff options
Diffstat (limited to 'docs/docbook/projdoc/DOMAIN_MEMBER.sgml')
| -rw-r--r-- | docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 224 |
1 files changed, 224 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml new file mode 100644 index 00000000000..6d0b36eafcc --- /dev/null +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -0,0 +1,224 @@ +<chapter id="domain-security"> + +<chapterinfo> + <author> + <firstname>Jeremy</firstname><surname>Allison</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>samba@samba.org</email> + </address> + </affiliation> + </author> + <author> + <firstname>Jerry</firstname><surname>Carter</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address> + <email>jerry@samba.org</email> + </address> + </affiliation> + </author> + + + <pubdate>16 Apr 2001</pubdate> +</chapterinfo> + + +<title>security = domain in Samba 2.x</title> + +<sect1> + + <title>Joining an NT Domain with Samba 2.2</title> + + <para>Assume you have a Samba 2.x server with a NetBIOS name of + <constant>SERV1</constant> and are joining an NT domain called + <constant>DOM</constant>, which has a PDC with a NetBIOS name + of <constant>DOMPDC</constant> and two backup domain controllers + with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2 + </constant>.</para> + + <para>In order to join the domain, first stop all Samba daemons + and run the command:</para> + + <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC + -U<replaceable>Administrator%password</replaceable></userinput></para> + + <para>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <replaceable>Administrator%password</replaceable> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</para> + + <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput> + </para> + + <para>in your terminal window. See the <ulink url="smbpasswd.8.html"> + smbpasswd(8)</ulink> man page for more details.</para> + + <para>There is existing development code to join a domain + without having to create the machine trust account on the PDC + beforehand. This code will hopefully be available soon + in release branches as well.</para> + + <para>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</para> + + <para><filename>/usr/local/samba/private</filename></para> + + <para>In Samba 2.0.x, the filename looks like this:</para> + + <para><filename><replaceable><NT DOMAIN NAME></replaceable>.<replaceable><Samba + Server Name></replaceable>.mac</filename></para> + + <para>The <filename>.mac</filename> suffix stands for machine account + password file. So in our example above, the file would be called:</para> + + <para><filename>DOM.SERV1.mac</filename></para> + + <para>In Samba 2.2, this file has been replaced with a TDB + (Trivial Database) file named <filename>secrets.tdb</filename>. + </para> + + + <para>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</para> + + <para>Now, before restarting the Samba daemons you must + edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename> + </ulink> file to tell Samba it should now use domain security.</para> + + <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY"> + <parameter>security =</parameter></ulink> line in the [global] section + of your smb.conf to read:</para> + + <para><command>security = domain</command></para> + + <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter> + workgroup =</parameter></ulink> line in the [global] section to read: </para> + + <para><command>workgroup = DOM</command></para> + + <para>as this is the name of the domain we are joining. </para> + + <para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS"> + <parameter>encrypt passwords</parameter></ulink> set to <constant>yes + </constant> in order for your users to authenticate to the NT PDC.</para> + + <para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER"> + <parameter>password server =</parameter></ulink> line in the [global] + section to read: </para> + + <para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para> + + <para>These are the primary and backup domain controllers Samba + will attempt to contact in order to authenticate users. Samba will + try to contact each of these servers in order, so you may want to + rearrange this list in order to spread out the authentication load + among domain controllers.</para> + + <para>Alternatively, if you want smbd to automatically determine + the list of Domain controllers to use for authentication, you may + set this line to be :</para> + + <para><command>password server = *</command></para> + + <para>This method, which was introduced in Samba 2.0.6, + allows Samba to use exactly the same mechanism that NT does. This + method either broadcasts or uses a WINS database in order to + find domain controllers to authenticate against.</para> + + <para>Finally, restart your Samba daemons and get ready for + clients to begin using domain security!</para> +</sect1> + +<sect1> +<title>Samba and Windows 2000 Domains</title> + +<para> +Many people have asked regarding the state of Samba's ability to participate in +a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows +2000 domain operating in mixed or native mode. +</para> + +<para> +There is much confusion between the circumstances that require a "mixed" mode +Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode +Win2k domain controller is only needed if Windows NT BDCs must exist in the same +domain. By default, a Win2k DC in "native" mode will still support +NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and +NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server. +</para> + +<para> +The steps for adding a Samba 2.2 host to a Win2k domain are the same as those +for adding a Samba server to a Windows NT 4.0 domain. The only exception is that +the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and +Computers" MMC (Microsoft Management Console) plugin. +</para> + +</sect1> + + +<sect1> + <title>Why is this better than security = server?</title> + + <para>Currently, domain security in Samba doesn't free you from + having to create local Unix users to represent the users attaching + to your server. This means that if domain user <constant>DOM\fred + </constant> attaches to your domain security Samba server, there needs + to be a local Unix user fred to represent that user in the Unix + filesystem. This is very similar to the older Samba security mode + <ulink url="smb.conf.5.html#SECURITYEQUALSSERVER">security = server</ulink>, + where Samba would pass through the authentication request to a Windows + NT server in the same way as a Windows 95 or Windows 98 server would. + </para> + + <para>Please refer to the <ulink url="winbind.html">Winbind + paper</ulink> for information on a system to automatically + assign UNIX uids and gids to Windows NT Domain users and groups. + This code is available in development branches only at the moment, + but will be moved to release branches soon.</para> + + <para>The advantage to domain-level security is that the + authentication in domain-level security is passed down the authenticated + RPC channel in exactly the same way that an NT server would do it. This + means Samba servers now participate in domain trust relationships in + exactly the same way NT servers do (i.e., you can add Samba servers into + a resource domain and have the authentication passed on from a resource + domain PDC to an account domain PDC.</para> + + <para>In addition, with <command>security = server</command> every Samba + daemon on a server has to keep a connection open to the + authenticating server for as long as that daemon lasts. This can drain + the connection resources on a Microsoft NT server and cause it to run + out of available connections. With <command>security = domain</command>, + however, the Samba daemons connect to the PDC/BDC only for as long + as is necessary to authenticate the user, and then drop the connection, + thus conserving PDC connection resources.</para> + + <para>And finally, acting in the same manner as an NT server + authenticating to a PDC means that as part of the authentication + reply, the Samba server gets the user identification information such + as the user SID, the list of NT groups the user belongs to, etc. All + this information will allow Samba to be extended in the future into + a mode the developers currently call appliance mode. In this mode, + no local Unix users will be necessary, and Samba will generate Unix + uids and gids from the information passed back from the PDC when a + user is authenticated, making a Samba server truly plug and play + in an NT domain environment. Watch for this code soon.</para> + + <para><emphasis>NOTE:</emphasis> Much of the text of this document + was first published in the Web magazine <ulink url="http://www.linuxworld.com"> + LinuxWorld</ulink> as the article <ulink + url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing + the NIS/NT Samba</ulink>.</para> + +</sect1> + +</chapter> |