1 <!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Samba as a NT4 or Win2k domain member
</TITLE
8 CONTENT=
"Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE=
"SAMBA Project Documentation"
11 HREF=
"samba-howto-collection.html"><LINK
13 TITLE=
"Type of installation"
14 HREF=
"type.html"><LINK
16 TITLE=
"Samba as a ADS domain member"
19 TITLE=
"Advanced Configuration"
20 HREF=
"optional.html"></HEAD
31 SUMMARY=
"Header navigation table"
40 >SAMBA Project Documentation
</TH
75 NAME=
"DOMAIN-SECURITY"
77 >Chapter
9. Samba as a NT4 or Win2k domain member
</H1
84 >9.1. Joining an NT Domain with Samba
3.0</A
87 >Assume you have a Samba
3.0 server with a NetBIOS name of
91 > and are joining an or Win2k NT domain called
95 >, which has a PDC with a NetBIOS name
99 > and two backup domain controllers
100 with NetBIOS names
<CODE
109 >Firstly, you must edit your
<TT
112 > file to tell Samba it should
113 now use domain security.
</P
115 >Change (or add) your
<A
116 HREF=
"smb.conf.5.html#SECURITY"
122 > line in the [global] section
130 >security = domain
</B
134 HREF=
"smb.conf.5.html#WORKGROUP"
140 > line in the [global] section to read:
</P
147 >as this is the name of the domain we are joining.
</P
149 >You must also have the parameter
<A
150 HREF=
"smb.conf.5.html#ENCRYPTPASSWORDS"
154 >encrypt passwords
</VAR
160 > in order for your users to authenticate to the NT PDC.
</P
162 >Finally, add (or modify) a
<A
163 HREF=
"smb.conf.5.html#PASSWORDSERVER"
167 >password server =
</VAR
169 > line in the [global]
174 >password server = DOMPDC DOMBDC1 DOMBDC2
</B
177 >These are the primary and backup domain controllers Samba
178 will attempt to contact in order to authenticate users. Samba will
179 try to contact each of these servers in order, so you may want to
180 rearrange this list in order to spread out the authentication load
181 among domain controllers.
</P
183 >Alternatively, if you want smbd to automatically determine
184 the list of Domain controllers to use for authentication, you may
185 set this line to be :
</P
189 >password server = *
</B
192 >This method, allows Samba to use exactly the same
193 mechanism that NT does. This
194 method either broadcasts or uses a WINS database in order to
195 find domain controllers to authenticate against.
</P
197 >In order to actually join the domain, you must run this
205 >net rpc join -S DOMPDC
208 >Administrator%password
</VAR
212 >as we are joining the domain DOM and the PDC for that domain
213 (the only machine that has write access to the domain SAM database)
216 >Administrator%password
</VAR
218 the login name and password for an account which has the necessary
219 privilege to add machines to the domain. If this is successful
220 you will see the message:
</P
223 CLASS=
"COMPUTEROUTPUT"
224 >Joined domain DOM.
</SAMP
227 CLASS=
"COMPUTEROUTPUT"
228 >Joined 'SERV1' to realm 'MYREALM'
</SAMP
232 >in your terminal window. See the
<A
236 > man page for more details.
</P
238 >This process joins the server to thedomain
239 without having to create the machine trust account on the PDC
242 >This command goes through the machine account password
243 change protocol, then writes the new (random) machine account
244 password for this Samba server into a file in the same directory
245 in which an smbpasswd file would be stored - normally :
</P
249 >/usr/local/samba/private/secrets.tdb
</TT
252 >This file is created and owned by root and is not
253 readable by any other user. It is the key to the domain-level
254 security for your system, and should be treated as carefully
255 as a shadow password file.
</P
257 >Finally, restart your Samba daemons and get ready for
258 clients to begin using domain security!
</P
266 >9.2. Why is this better than security = server?
</A
269 >Currently, domain security in Samba doesn't free you from
270 having to create local Unix users to represent the users attaching
271 to your server. This means that if domain user
<CODE
275 > attaches to your domain security Samba server, there needs
276 to be a local Unix user fred to represent that user in the Unix
277 filesystem. This is very similar to the older Samba security mode
279 HREF=
"smb.conf.5.html#SECURITYEQUALSSERVER"
281 >security = server
</A
283 where Samba would pass through the authentication request to a Windows
284 NT server in the same way as a Windows
95 or Windows
98 server would.
287 >Please refer to the
<A
292 > for information on a system to automatically
293 assign UNIX uids and gids to Windows NT Domain users and groups.
294 This code is available in development branches only at the moment,
295 but will be moved to release branches soon.
</P
297 >The advantage to domain-level security is that the
298 authentication in domain-level security is passed down the authenticated
299 RPC channel in exactly the same way that an NT server would do it. This
300 means Samba servers now participate in domain trust relationships in
301 exactly the same way NT servers do (i.e., you can add Samba servers into
302 a resource domain and have the authentication passed on from a resource
303 domain PDC to an account domain PDC.
</P
305 >In addition, with
<B
307 >security = server
</B
309 daemon on a server has to keep a connection open to the
310 authenticating server for as long as that daemon lasts. This can drain
311 the connection resources on a Microsoft NT server and cause it to run
312 out of available connections. With
<B
314 >security = domain
</B
316 however, the Samba daemons connect to the PDC/BDC only for as long
317 as is necessary to authenticate the user, and then drop the connection,
318 thus conserving PDC connection resources.
</P
320 >And finally, acting in the same manner as an NT server
321 authenticating to a PDC means that as part of the authentication
322 reply, the Samba server gets the user identification information such
323 as the user SID, the list of NT groups the user belongs to, etc.
</P
338 SRC=
"/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
345 > Much of the text of this document
346 was first published in the Web magazine
<A
347 HREF=
"http://www.linuxworld.com"
352 HREF=
"http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"
368 SUMMARY=
"Footer navigation table"
388 HREF=
"samba-howto-collection.html"
407 >Samba as a ADS domain member
</TD
421 >Advanced Configuration
</TD