search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
another merge from 2.2
[Samba/gbeck.git] / docs / docbook / projdoc / DOMAIN_MEMBER.sgml
blobc6dbda15a35033719182f610604f63972a3c7bf9
1 <chapter>
2
3 <chapterinfo>
4 <author>
5 <firstname>Jeremy</firstname><surname>Allison</surname>
6 <affiliation>
7 <orgname>Samba Team</orgname>
8 <address>
9 <email>samba@samba.org</email>
10 </address>
11 </affiliation>
12 </author>
13 <author>
14 <firstname>Jerry</firstname><surname>Carter</surname>
15 <affiliation>
16 <orgname>Samba Team</orgname>
17 <address>
18 <email>jerry@samba.org</email>
19 </address>
20 </affiliation>
21 </author>
22
23
24 <pubdate>16 Apr 2001</pubdate>
25 </chapterinfo>
26
27
28 <title>security = domain in Samba 2.x</title>
29
30 <sect1>
31
32 <title>Joining an NT Domain with Samba 2.2</title>
33
34 <para>In order for a Samba-2 server to join an NT domain,
35 you must first add the NetBIOS name of the Samba server to the
36 NT domain on the PDC using Server Manager for Domains. This creates
37 the machine account in the domain (PDC) SAM. Note that you should
38 add the Samba server as a "Windows NT Workstation or Server",
39 <emphasis>NOT</emphasis> as a Primary or backup domain controller.</para>
40
41 <para>Assume you have a Samba-2 server with a NetBIOS name of
42 <constant>SERV1</constant> and are joining an NT domain called
43 <constant>DOM</constant>, which has a PDC with a NetBIOS name
44 of <constant>DOMPDC</constant> and two backup domain controllers
45 with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
46 </constant>.</para>
47
48 <para>In order to join the domain, first stop all Samba daemons
49 and run the command:</para>
50
51 <para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
52 </userinput></para>
53
54 <para>as we are joining the domain DOM and the PDC for that domain
55 (the only machine that has write access to the domain SAM database)
56 is DOMPDC. If this is successful you will see the message:</para>
57
58 <para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
59 </para>
60
61 <para>in your terminal window. See the <ulink url="smbpasswd.8.html">
62 smbpasswd(8)</ulink> man page for more details.</para>
63
64 <para>There is existing development code to join a domain
65 without having to create the machine trust account on the PDC
66 beforehand. This code will hopefully be available soon
67 in release branches as well.</para>
68
69 <para>This command goes through the machine account password
70 change protocol, then writes the new (random) machine account
71 password for this Samba server into a file in the same directory
72 in which an smbpasswd file would be stored - normally :</para>
73
74 <para><filename>/usr/local/samba/private</filename></para>
75
76 <para>In Samba 2.0.x, the filename looks like this:</para>
77
78 <para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.<replaceable>&lt;Samba
79 Server Name&gt;</replaceable>.mac</filename></para>
80
81 <para>The <filename>.mac</filename> suffix stands for machine account
82 password file. So in our example above, the file would be called:</para>
83
84 <para><filename>DOM.SERV1.mac</filename></para>
85
86 <para>In Samba 2.2, this file has been replaced with a TDB
87 (Trivial Database) file named <filename>secrets.tdb</filename>.
88 </para>
89
90
91 <para>This file is created and owned by root and is not
92 readable by any other user. It is the key to the domain-level
93 security for your system, and should be treated as carefully
94 as a shadow password file.</para>
95
96 <para>Now, before restarting the Samba daemons you must
97 edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
98 </ulink> file to tell Samba it should now use domain security.</para>
99
100 <para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
101 <parameter>security =</parameter></ulink> line in the [global] section
102 of your smb.conf to read:</para>
103
104 <para><command>security = domain</command></para>
105
106 <para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
107 workgroup =</parameter></ulink> line in the [global] section to read: </para>
108
109 <para><command>workgroup = DOM</command></para>
110
111 <para>as this is the name of the domain we are joining. </para>
112
113 <para>You must also have the parameter <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">
114 <parameter>encrypt passwords</parameter></ulink> set to <constant>yes
115 </constant> in order for your users to authenticate to the NT PDC.</para>
116
117 <para>Finally, add (or modify) a <ulink url="smb.conf.5.html#PASSWORDSERVER">
118 <parameter>password server =</parameter></ulink> line in the [global]
119 section to read: </para>
120
121 <para><command>password server = DOMPDC DOMBDC1 DOMBDC2</command></para>
122
123 <para>These are the primary and backup domain controllers Samba
124 will attempt to contact in order to authenticate users. Samba will
125 try to contact each of these servers in order, so you may want to
126 rearrange this list in order to spread out the authentication load
127 among domain controllers.</para>
128
129 <para>Alternatively, if you want smbd to automatically determine
130 the list of Domain controllers to use for authentication, you may
131 set this line to be :</para>
132
133 <para><command>password server = *</command></para>
134
135 <para>This method, which was introduced in Samba 2.0.6,
136 allows Samba to use exactly the same mechanism that NT does. This
137 method either broadcasts or uses a WINS database in order to
138 find domain controllers to authenticate against.</para>
139
140 <para>Finally, restart your Samba daemons and get ready for
141 clients to begin using domain security!</para>
142 </sect1>
143
144 <sect1>
145 <title>Samba and Windows 2000 Domains</title>
146
147 <para>
148 Many people have asked regarding the state of Samba's ability to participate in
149 a Windows 2000 Domain. Samba 2.2 is able to act as a member server of a Windows
150 2000 domain operating in mixed or native mode.
151 </para>
152
153 <para>
154 There is much confusion between the circumstances that require a "mixed" mode
155 Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode
156 Win2k domain controller is only needed if Windows NT BDCs must exist in the same
157 domain. By default, a Win2k DC in "native" mode will still support
158 NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and
159 NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.
160 </para>
161
162 <para>
163 The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
164 for adding a Samba server to a Windows NT 4.0 domain. The only exception is that
165 the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and
166 Computers" MMC (Microsoft Management Console) plugin.
167 </para>
168
169 </sect1>
170
171
172 <sect1>
173 <title>Why is this better than security = server?</title>
174
175 <para>Currently, domain security in Samba doesn't free you from
176 having to create local Unix users to represent the users attaching
177 to your server. This means that if domain user <constant>DOM\fred
178 </constant> attaches to your domain security Samba server, there needs
179 to be a local Unix user fred to represent that user in the Unix
180 filesystem. This is very similar to the older Samba security mode
181 <ulink url="smb.conf.5.html#SECURITYEQUALSSERVER">security = server</ulink>,
182 where Samba would pass through the authentication request to a Windows
183 NT server in the same way as a Windows 95 or Windows 98 server would.
184 </para>
185
186 <para>Please refer to the <ulink url="winbind.html">Winbind
187 paper</ulink> for information on a system to automatically
188 assign UNIX uids and gids to Windows NT Domain users and groups.
189 This code is available in development branches only at the moment,
190 but will be moved to release branches soon.</para>
191
192 <para>The advantage to domain-level security is that the
193 authentication in domain-level security is passed down the authenticated
194 RPC channel in exactly the same way that an NT server would do it. This
195 means Samba servers now participate in domain trust relationships in
196 exactly the same way NT servers do (i.e., you can add Samba servers into
197 a resource domain and have the authentication passed on from a resource
198 domain PDC to an account domain PDC.</para>
199
200 <para>In addition, with <command>security = server</command> every Samba
201 daemon on a server has to keep a connection open to the
202 authenticating server for as long as that daemon lasts. This can drain
203 the connection resources on a Microsoft NT server and cause it to run
204 out of available connections. With <command>security = domain</command>,
205 however, the Samba daemons connect to the PDC/BDC only for as long
206 as is necessary to authenticate the user, and then drop the connection,
207 thus conserving PDC connection resources.</para>
208
209 <para>And finally, acting in the same manner as an NT server
210 authenticating to a PDC means that as part of the authentication
211 reply, the Samba server gets the user identification information such
212 as the user SID, the list of NT groups the user belongs to, etc. All
213 this information will allow Samba to be extended in the future into
214 a mode the developers currently call appliance mode. In this mode,
215 no local Unix users will be necessary, and Samba will generate Unix
216 uids and gids from the information passed back from the PDC when a
217 user is authenticated, making a Samba server truly plug and play
218 in an NT domain environment. Watch for this code soon.</para>
219
220 <para><emphasis>NOTE:</emphasis> Much of the text of this document
221 was first published in the Web magazine <ulink url="http://www.linuxworld.com">
222 LinuxWorld</ulink> as the article <ulink
223 url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing
224 the NIS/NT Samba</ulink>.</para>
225
226 </sect1>
227
228 </chapter>
WIP