2025-01-08 21:18:16 +03:00 · 2003-02-01 05:16:00 +00:00 · 2003-02-01 05:16:00 +00:00 · 1454c1c99a
commit 1454c1c99a
parent bcc51dcc2f
2 changed files with 51 additions and 88 deletions
--- a/docs/docbook/manpages/winbindd.8.sgml
+++ b/docs/docbook/manpages/winbindd.8.sgml
@ -271,13 +271,11 @@ auth       required     /lib/security/pam_pwdb.so use_first_pass shadow nullok
  	<para>The next step is to join the domain. To do that use the 
 	<command>smbpasswd</command> program like this:  </para>
-	<para><command>smbpasswd -j DOMAIN -r PDC -U
+	<para><command>net join -S PDC -U Administrator</command></para>
 	Administrator</command></para>
 	<para>The username after the <parameter>-U</parameter> can be any
 	Domain user that has administrator privileges on the machine.
-	Substitute your domain name for "DOMAIN" and the name of your PDC
+	Substitute the name or IP of your PDC for "PDC".</para>
 	for "PDC".</para>
 	<para>Next copy <filename>libnss_winbind.so</filename> to 
 	<filename>/lib</filename> and <filename>pam_winbind.so
--- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
+++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml
@ -25,79 +25,29 @@
 </chapterinfo>
-<title>Samba as a NT4 domain member</title>
+<title>Samba as a NT4 or Win2k domain member</title>
 <sect1>
-	<title>Joining an NT Domain with Samba 2.2</title>
+	<title>Joining an NT Domain with Samba 3.0</title>
-	<para>Assume you have a Samba 2.x server with a NetBIOS name of 
+	<para>Assume you have a Samba 3.0 server with a NetBIOS name of 
-	<constant>SERV1</constant> and are joining an NT domain called
+	<constant>SERV1</constant> and are joining an or Win2k NT domain called
 	<constant>DOM</constant>, which has a PDC with a NetBIOS name
 	of <constant>DOMPDC</constant> and two backup domain controllers 
 	with NetBIOS names <constant>DOMBDC1</constant> and <constant>DOMBDC2
 	</constant>.</para>
-	<para>In order to join the domain, first stop all Samba daemons 
+	<para>Firstly, you must edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
 	and run the command:</para>
 	<para><prompt>root# </prompt><userinput>smbpasswd -j DOM -r DOMPDC
 	-U<replaceable>Administrator%password</replaceable></userinput></para>
 	<para>as we are joining the domain DOM and the PDC for that domain 
 	(the only machine that has write access to the domain SAM database) 
 	is DOMPDC. The <replaceable>Administrator%password</replaceable> is 
 	the login name and password for an account which has the necessary 
 	privilege to add machines to the domain.  If this is successful 
 	you will see the message:</para>
 	<para><computeroutput>smbpasswd: Joined domain DOM.</computeroutput>
 	</para>
 	<para>in your terminal window. See the <ulink url="smbpasswd.8.html">
 	smbpasswd(8)</ulink> man page for more details.</para>
 	<para>There is existing development code to join a domain
 	without having to create the machine trust account on the PDC
 	beforehand.  This code will hopefully be available soon
 	in release branches as well.</para>
 	<para>This command goes through the machine account password 
 	change protocol, then writes the new (random) machine account 
 	password for this Samba server into a file in the same directory 
 	in which an smbpasswd file would be stored - normally :</para>
 	<para><filename>/usr/local/samba/private</filename></para>
 	<para>In Samba 2.0.x, the filename looks like this:</para>
 	<para><filename><replaceable>&lt;NT DOMAIN NAME&gt;</replaceable>.<replaceable>&lt;Samba 
 	Server Name&gt;</replaceable>.mac</filename></para>
 	<para>The <filename>.mac</filename> suffix stands for machine account 
 	password file. So in our example above, the file would be called:</para>
 	<para><filename>DOM.SERV1.mac</filename></para>
 	<para>In Samba 2.2, this file has been replaced with a TDB 
 	(Trivial Database) file named <filename>secrets.tdb</filename>.
 	</para>
 	<para>This file is created and owned by root and is not 
 	readable by any other user. It is the key to the domain-level 
 	security for your system, and should be treated as carefully 
 	as a shadow password file.</para>
 	<para>Now, before restarting the Samba daemons you must 
 	edit your <ulink url="smb.conf.5.html"><filename>smb.conf(5)</filename>
 	</ulink> file to tell Samba it should now use domain security.</para>
 	<para>Change (or add) your <ulink url="smb.conf.5.html#SECURITY">
 	<parameter>security =</parameter></ulink> line in the [global] section 
 	of your smb.conf to read:</para>
-	<para><command>security = domain</command></para>
+	<para><command>security = domain</command> or
 	<command>security = ads</command> depending on if the PDC is
 	NT4 or running Active Directory respectivly.</para>
 	<para>Next change the <ulink url="smb.conf.5.html#WORKGROUP"><parameter>
 	workgroup =</parameter></ulink> line in the [global] section to read: </para>
@ -128,11 +78,47 @@
 	<para><command>password server = *</command></para>
-	<para>This method, which was introduced in Samba 2.0.6, 
+	<para>This method, allows Samba to use exactly the same
-	allows Samba to use exactly the same mechanism that NT does. This 
+        mechanism that NT does. This 
 	method either broadcasts or uses a WINS database in order to
 	find domain controllers to authenticate against.</para>
 	<para>In order to actually join the domain, you must run this
        command:</para>
 	<para><prompt>root# </prompt><userinput>net join -S DOMPDC
 	-U<replaceable>Administrator%password</replaceable></userinput></para>
 	<para>as we are joining the domain DOM and the PDC for that domain 
 	(the only machine that has write access to the domain SAM database) 
 	is DOMPDC. The <replaceable>Administrator%password</replaceable> is 
 	the login name and password for an account which has the necessary 
 	privilege to add machines to the domain.  If this is successful 
 	you will see the message:</para>
 	<para><computeroutput>Joined domain DOM.</computeroutput>
 	or <computeroutput>Joined 'SERV1' to realm 'MYREALM'</computeroutput>
 	</para>
 	<para>in your terminal window. See the <ulink url="net.8.html">
 	net(8)</ulink> man page for more details.</para>
 	<para>This process joins the server to thedomain
 	without having to create the machine trust account on the PDC
 	beforehand.</para>
 	<para>This command goes through the machine account password 
 	change protocol, then writes the new (random) machine account 
 	password for this Samba server into a file in the same directory 
 	in which an smbpasswd file would be stored - normally :</para>
 	<para><filename>/usr/local/samba/private/secrets.tdb</filename></para>
 	<para>This file is created and owned by root and is not 
 	readable by any other user. It is the key to the domain-level 
 	security for your system, and should be treated as carefully 
 	as a shadow password file.</para>
 	<para>Finally, restart your Samba daemons and get ready for 
 	clients to begin using domain security!</para>
 </sect1>
@ -144,23 +130,8 @@
 <para>
 Many people have asked regarding the state of Samba's ability to participate in
 a Windows 2000 Domain.  Samba 3.0 is able to act as a member server of a Windows
-2000 domain operating in mixed or native mode.
+2000 domain operating in mixed or native mode.  The steps above apply
-</para>
+to both NT4 and Windows 2000.
 <para>
 There is much confusion between the circumstances that require a "mixed" mode
 Win2k DC and a when this host can be switched to "native" mode.  A "mixed" mode
 Win2k domain controller is only needed if Windows NT BDCs must exist in the same
 domain.  By default, a Win2k DC in "native" mode will still support
 NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and 
 NT 4.0.  Samba has the same requirements as a Windows NT 4.0 member server.
 </para>
 <para>
 The steps for adding a Samba 2.2 host to a Win2k domain are the same as those
 for adding a Samba server to a Windows NT 4.0 domain. The only exception is that 
 the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and 
 Computers" MMC (Microsoft Management Console) plugin.
 </para>
 </sect1>
@ -205,13 +176,7 @@ Computers" MMC (Microsoft Management Console) plugin.
 	<para>And finally, acting in the same manner as an NT server 
 	authenticating to a PDC means that as part of the authentication 
 	reply, the Samba server gets the user identification information such 
-	as the user SID, the list of NT groups the user belongs to, etc. All 
+	as the user SID, the list of NT groups the user belongs to, etc. </para>
 	this information will allow Samba to be extended in the future into 
 	a mode the developers currently call appliance mode. In this mode, 
 	no local Unix users will be necessary, and Samba will generate Unix 
 	uids and gids from the information passed back from the PDC when a 
 	user is authenticated, making a Samba server truly plug and play 
 	in an NT domain environment. Watch for this code soon.</para>
 	<para><emphasis>NOTE:</emphasis> Much of the text of this document 
 	was first published in the Web magazine <ulink url="http://www.linuxworld.com">