sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Code

Hackety, hackety, hack. More edits.

Browse Source
This commit is contained in:
John Terpstra 0001-01-01 00:00:00 +00:00
parent ba7305600c
commit b41b42ca31
4 changed files with 464 additions and 325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
docs/docbook/projdoc/DOMAIN_MEMBER.xml
View File

@ -179,7 +179,227 @@ LinuxWorld</ulink> as the article <ulink
url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html">Doing
the NIS/NT Samba</ulink>.</para></note>
</sect2>
</sect1>
<sect1>
<title>Machine Trust Accounts and Domain Membership</title>
<para>
A machine trust account is an account that is used to authenticate a client machine
(rather than a user) to the Domain Controller server. In Windows terminology,
this is known as a "Computer Account."</para>
<para>
The password of a machine trust account acts as the shared secret for
secure communication with the Domain Controller. This is a security
feature to prevent an unauthorized machine with the same NetBIOS name
from joining the domain and gaining access to domain user/group
accounts. Windows NT, 200x, XP Professional clients use machine trust
accounts, but Windows 9x / Me / XP Home clients do not. Hence, a
Windows 9x / Me / XP Home client is never a true member of a domain
because it does not possess a machine trust account, and thus has no
shared secret with the domain controller.
</para>
<para>A Windows NT4 PDC stores each machine trust account in the Windows
Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory,
the new repository for machine trust accounts.
</para>
<para>
A Samba PDC, however, stores each machine trust account in two parts,
as follows:
<itemizedlist>
<listitem><para>A Samba account, stored in the same location as user
LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
The Samba account possesses and uses only the NT password hash.</para></listitem>
<listitem><para>A corresponding Unix account, typically stored in
<filename>/etc/passwd</filename>. (Future releases will alleviate the need to
create <filename>/etc/passwd</filename> entries.) </para></listitem>
</itemizedlist>
</para>
<para>
There are two ways to create machine trust accounts:
</para>
<itemizedlist>
<listitem><para> Manual creation. Both the Samba and corresponding
Unix account are created by hand.</para></listitem>
<listitem><para> "On-the-fly" creation. The Samba machine trust
account is automatically created by Samba at the time the client
is joined to the domain. (For security, this is the
recommended method.) The corresponding Unix account may be
created automatically or manually. </para>
</listitem>
</itemizedlist>
<sect2>
<title>Manual Creation of Machine Trust Accounts</title>
<para>
The first step in manually creating a machine trust account is to
manually create the corresponding Unix account in
<filename>/etc/passwd</filename>. This can be done using
<command>vipw</command> or other 'add user' command that is normally
used to create new Unix accounts. The following is an example for a
Linux based Samba server:
</para>
<para>
<prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine
nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command>
</para>
<para>
<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command>
</para>
<para>On *BSD systems, this can be done using the 'chpass' utility:</para>
<para>
<prompt>root# </prompt><command>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</command>
</para>
<para>
The <filename>/etc/passwd</filename> entry will list the machine name
with a "$" appended, won't have a password, will have a null shell and no
home directory. For example a machine named 'doppy' would have an
<filename>/etc/passwd</filename> entry like this:
</para>
<para><programlisting>
doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false
</programlisting></para>
<para>
Above, <replaceable>machine_nickname</replaceable> can be any
descriptive name for the client, i.e., BasementComputer.
<replaceable>machine_name</replaceable> absolutely must be the NetBIOS
name of the client to be joined to the domain. The "$" must be
appended to the NetBIOS name of the client or Samba will not recognize
this as a machine trust account.
</para>
<para>
Now that the corresponding Unix account has been created, the next step is to create
the Samba account for the client containing the well-known initial
machine trust account password. This can be done using the <ulink
url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> command
as shown here:
</para>
<para>
<prompt>root# </prompt><userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
</para>
<para>
where <replaceable>machine_name</replaceable> is the machine's NetBIOS
name. The RID of the new machine account is generated from the UID of
the corresponding Unix account.
</para>
<warning>
<title>Join the client to the domain immediately</title>
<para>
Manually creating a machine trust account using this method is the
equivalent of creating a machine trust account on a Windows NT PDC using
the "Server Manager". From the time at which the account is created
to the time which the client joins the domain and changes the password,
your domain is vulnerable to an intruder joining your domain using
a machine with the same NetBIOS name. A PDC inherently trusts
members of the domain and will serve out a large degree of user
information to such clients. You have been warned!
</para>
</warning>
</sect2>
<sect2>
<title>"On-the-Fly" Creation of Machine Trust Accounts</title>
<para>
The second (and recommended) way of creating machine trust accounts is
simply to allow the Samba server to create them as needed when the client
is joined to the domain. </para>
<para>Since each Samba machine trust account requires a corresponding
Unix account, a method for automatically creating the
Unix account is usually supplied; this requires configuration of the
<ulink url="smb.conf.5.html#ADDMACHINESCRIPT">add machine script</ulink>
option in <filename>smb.conf</filename>. This
method is not required, however; corresponding Unix accounts may also
be created manually.
</para>
<para>
Below is an example for a RedHat Linux system.
</para>
<para><programlisting>
[global]
# &lt;...remainder of parameters...&gt;
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
</programlisting></para>
</sect2>
<sect2><title>Joining the Client to the Domain</title>
<para>
The procedure for joining a client to the domain varies with the version of Windows.
</para>
<itemizedlist>
<listitem><para><emphasis>Windows 2000</emphasis></para>
<para>
When the user elects to join the client to a domain, Windows prompts for
an account and password that is privileged to join the domain. A Samba administrative
account (i.e., a Samba account that has root privileges on the Samba server) must be
entered here; the operation will fail if an ordinary user account is given.
The password for this account should be set to a different password than the associated
<filename>/etc/passwd</filename> entry, for security reasons.
</para>
<para>
The session key of the Samba administrative account acts as an
encryption key for setting the password of the machine trust
account. The machine trust account will be created on-the-fly, or
updated if it already exists.
</para>
</listitem>
<listitem><para><emphasis>Windows NT</emphasis></para>
<para> If the machine trust account was created manually, on the
Identification Changes menu enter the domain name, but do not
check the box "Create a Computer Account in the Domain." In this case,
the existing machine trust account is used to join the machine to
the domain.</para>
<para> If the machine trust account is to be created
on-the-fly, on the Identification Changes menu enter the domain
name, and check the box "Create a Computer Account in the Domain." In
this case, joining the domain proceeds as above for Windows 2000
(i.e., you must supply a Samba administrative account when
prompted).</para>
</listitem>
<listitem><para><emphasis>Samba</emphasis></para>
<para>Joining a samba client to a domain is documented in
the <link linkend="domain-member">Domain Member</link> chapter.
</para></listitem>
</itemizedlist>
</sect2>
</sect1>
<sect1>
@ -196,7 +416,7 @@ Windows2000 KDC.
<para>You must use at least the following 3 options in smb.conf:</para>
<para><programlisting>
realm = YOUR.KERBEROS.REALM
realm = your.kerberos.REALM
security = ADS
encrypt passwords = yes
</programlisting></para>

540
docs/docbook/projdoc/Samba-PDC-HOWTO.xml
View File

@ -17,14 +17,14 @@
<formalpara><title><emphasis>The Essence of Learning:</emphasis></title>
<para>
There are many who approach MS Windows networking with incredible misconceptions.
That's OK, because it give the rest of us plenty of opportunity to help someone.
Those who really want help would be well advised to be informed of information that
is in fact already available.
That's OK, because it give the rest of us plenty of opportunity to be of assistance.
Those who really want help would be well advised to become familiar with information
that is already available.
</para>
</formalpara>
<para>
The reader is well advised NOT to tackle this section without having first understood
The reader is advised NOT to tackle this section without having first understood
and mastered some basics. MS Windows networking is not particularly forgiving of
misconfiguration. Users of MS Windows networking are likely to complain bitterly
of persistent niggles that may be caused by broken network or system configuration.
@ -50,9 +50,9 @@ networking problems:
</itemizedlist>
<para>
Do not be put off too much, on the surface of it MS Windows networking seems so simple
that any fool can do it. In fact, only a fool would set up an MS Windows network with
inadequate training and preparation. So let's get our first indelible principle out of the
Do not be put off, on the surface of it MS Windows networking seems so simple that any fool
can do it. In fact, it is not a good idea to set up an MS Windows network with
inadequate training and preparation. But let's get our first indelible principle out of the
way: <emphasis>It is perfectly OK to make mistakes!</emphasis> In the right place and at
the right time, mistakes are the essence of learning. It is <emphasis>very much</emphasis>
not Ok to make mistakes that cause loss of productivity and impose an avoidable financial
@ -83,14 +83,14 @@ The following functionalities are new to the Samba-3 release:
</para></listitem>
<listitem><para>
Samba-3 introduces replaceable and multiple user account (authentication)
Introduces replaceable and multiple user account (authentication)
back ends. In the case where the back end is placed in an LDAP database
Samba-3 confers the benefits of a back end that can be distributed, replicated,
and highly scalable.
</para></listitem>
<listitem><para>
Samba-3 implements full Unicode support. This simplifies cross locale internationalisation
Implements full Unicode support. This simplifies cross locale internationalisation
support. It also opens up the use of protocols that samba-2.2.x had but could not use due
to the need to fully support Unicode.
</para></listitem>
@ -117,26 +117,23 @@ The following functionalities are NOT provided by Samba-3:
</itemizedlist>
<para>
Please note that Windows 9x / Me / XP Home clients are not true members of a domain
for reasons outlined in this article. Therefore the protocol for support of Windows
9x / Me style domain logons is completely different from NT4 / Win2k type domain logons
nd has been officially supported for some time.
</para>
<para><emphasis>
MS Windows XP Home edition is NOT able to join a domain and does not permit
the use of domain logons.
</emphasis></para>
<para>
Samba-3 offers a complete implementation of group mapping between Windows NT groups
and Unix groups (this is really quite complicated to explain in a short space).
Windows 9x / Me / XP Home clients are not true members of a domain for reasons outlined
in this chapter. The protocol for support of Windows 9x / Me style network (domain) logons
is completely different from NT4 / Win2k type domain logons and has been officially supported
for some time. These clients use the old LanMan Network Logon facilities that are supported
in Samba since approximately the samba-1.9.15 series.
</para>
<para>
A Samba-3 PDC also has to store machine trust account information
in a suitable backend data store. With Samba-3 there can be multiple back-ends
for this including:
Samba-3 has an implementation of group mapping between Windows NT groups
and Unix groups (this is really quite complicated to explain in a short space) this is
discussed more fully in a chapter dedicated to this topic..
</para>
<para>
A Samba-3, like an MS Windows NT4 PDC or a Windows 200x Active Directory, needs to store
user and machine trust account information in a suitable backend data store. With Samba-3
there can be multiple back-ends for this including:
</para>
<itemizedlist>
@ -153,24 +150,40 @@ for this including:
stored in the <emphasis>private</emphasis> directory in a file called
<emphasis>passwd.tdb</emphasis>. The key benefit of this binary format
file is that it can store binary objects that can not be accomodated
in the traditional plain text smbpasswd file.
in the traditional plain text smbpasswd file. These permit the extended
account controls that MS Windows NT4 and later also have.
</para></listitem>
<listitem><para>
<emphasis>ldapsam</emphasis> - An LDAP based back-end. Permits the
LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com
LDAP server to be specified. eg: ldap://localhost or ldap://frodo.murphy.com.
Like the tdbsam, ldapsam permits the storing of extended account attributes
for control of things like: Permitted access times, password activation and
expiry, permitted points of access (workstation names), per user profile
location, and much more.
</para></listitem>
<listitem><para>
<emphasis>ldapsam_compat</emphasis> - An LDAP back-end that maintains backwards
compatibility with the behaviour of samba-2.2.x. You should use this in the process
of mirgrating from samba-2.2.x to samba-3 if you do not want to rebuild your LDAP
database.
</para></listitem>
</itemizedlist>
<para>
Read the chapter about the <link linkend="passdb">User Database</link> for details.
Read the chapter about the <link linkend="passdb">User Database</link> for details
regarding the choices available and how to configure them.
</para>
<note><para>
The new tdbsam and ldapsam account backends store vastly more information than
The new tdbsam and ldapsam account backends store substantially more information than
smbpasswd is capable of. The new backend database includes capacity to specify
per user settings for many parameters, over-riding global settings given in the
<filename>smb.conf</filename> file. eg: logon drive, logon home, logon path, etc.
Thus, with samba-3 it is possible to have a default system configuration for profiles,
and on a per user basis to over-ride this for those users who should not be subject
to the default configuration.
</para></note>
</sect1>
@ -196,11 +209,11 @@ there are three basic types of domain controllers:
<para>
The <emphasis>Primary Domain Controller</emphasis> or PDC plays an important role in the MS
Windows NT4 and Windows 200x Domain Control architecture, but not in the manner that so many
expect. There is a form of folk lore that dictates that because of it's role in the MS Windows
expect. There is folk lore that dictates that because of it's role in the MS Windows
network that the PDC should be the most powerful and most capable machine in the network.
As corny as it may seem to say this here, where good over all network performance is desired
the entire infrastructure needs to be balanced. It may be more advisable to invest more in
the Backup Domain Controllers and Stand-Alone (or Domain Member) servers than in the PDC.
As strange as it may seem to say this here, good over all network performance dictates that
the entire infrastructure needs to be balanced. It is advisable to invest more in the Backup
Domain Controllers and Stand-Alone (or Domain Member) servers than in the PDC.
</para>
<para>
@ -210,6 +223,14 @@ part in NT4 type domain user authentication and in synchronisation of the domain
database with Backup Domain Controllers.
</para>
<para>
With MS Windows 200x Server based Active Directory domains, one domain controller seeds a potential
hierachy of domain controllers, each with their own area of delegated control. The master domain
controller has the ability to override any down-stream controller, but a down-line controller has
control only over it's down-line. With Samba-3 this functionality can be implemented using an
LDAP based user and machine account back end.
</para>
<para>
New to Samba-3 is the ability to use a back-end database that holds the same type of data as
the NT4 style SAM (Security Account Manager) database (one of the registry files).
@ -238,7 +259,8 @@ reinstall it. The install time choices offered are:
<itemizedlist>
<listitem><para>Primary Domain Controller - The one that seeds the domain SAM</para></listitem>
<listitem><para>Backup Domain Controller - One that obtains a copy of the domain SAM</para></listitem>
<listitem><para>Stand-Alone Server - One that plays NO part is SAM synchronisation</para></listitem>
<listitem><para>Domain Controller - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls.</para></listitem>
<listitem><para>Stand-Alone Server - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security.</para></listitem>
</itemizedlist>
<para>
@ -266,53 +288,79 @@ be revised to duely reflect all configuration and management requirements.
<title>Preparing for Domain Control</title>
<para>
The following outlines the steps necessary for configuring Samba-3 as an MS Windows NT4 style PDC.
It is necessary to have a working Samba server prior to implementing the PDC functionality.
</para>
<itemizedlist>
<listitem><para>
Domain logons for Windows NT 4.0 / 200x / XP Professional clients.
</para></listitem>
<listitem><para>
Placing Windows 9x / Me clients in user level security
</para></listitem>
<listitem><para>
Retrieving a list of users and groups from a Samba PDC to Windows 9x / Me / NT / 200x / XP
Professional clients
</para></listitem>
<listitem><para>
Roaming Profiles
</para></listitem>
<listitem><para>
Network/System Policies
</para></listitem>
</itemizedlist>
<note><para>
Roaming Profiles and System/Network policies are advanced network administration topics
that are covered separately in this document.
</para></note>
<para>
Implementing a Samba PDC can basically be divided into 4 broad steps.
The following are necessary for configuring Samba-3 as an MS Windows NT4 style PDC for MS Windows
NT4 / 200x / XP clients.
</para>
<orderedlist numeration="arabic">
<listitem><para>
Configuration of basic MS Windows Networking
Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
<listitem><para>
Configuring the Samba PDC
Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
<listitem><para>
Consistent configuration of Name Resolution (See chapter on Browsing and on
MS Windows network Integration)
</para></listitem>
<listitem><para>
Domain logons for Windows NT4 / 200x / XP Professional clients
</para></listitem>
<listitem><para>
Creating machine trust accounts and joining machines to the domain
Configuration of Roaming Profiles or explicit configuration to force local profile usage
</para></listitem>
<listitem><para>
Configuration of Network/System Policies
</para></listitem>
<listitem><para>
Adding and managing domain user accounts
</para></listitem>
<listitem><para>
Configuring MS Windows client machines to become domain members
</para></listitem>
</orderedlist>
<para>
The following provisions are required to serve MS Windows 9x / Me Clients:
</para>
<orderedlist>
<listitem><para>
Configuration of basic TCP/IP and MS Windows Networking
</para></listitem>
<listitem><para>
Correct designation of the Server Role (<emphasis>security = user</emphasis>)
</para></listitem>
<listitem><para>
Network Logon Configuration (Since Windows 9x / XP Home are not technically domain
members, they do not really particpate in the security aspects of Domain logons as such)
</para></listitem>
<listitem><para>
Roaming Profile Configuration
</para></listitem>
<listitem><para>
Configuration of System Policy handling
</para></listitem>
<listitem><para>
Installation of the Network driver "Client for MS Windows Networks" and configuration
to log onto the domain
</para></listitem>
<listitem><para>
Placing Windows 9x / Me clients in user level security - if it is desired to allow
all client share access to be controlled according to domain user / group identities.
</para></listitem>
<listitem><para>
@ -320,9 +368,44 @@ Implementing a Samba PDC can basically be divided into 4 broad steps.
</para></listitem>
</orderedlist>
<note><para>
Roaming Profiles and System/Network policies are advanced network administration topics
that are covered separately in this document. However, these are not necessarily specific
to a Samba PDC as much as they are related to Windows NT networking concepts.
</para></note>
<para>
There are other details such as user profiles, system policies, etc. However, these are not
necessarily specific to a Samba PDC as much as they are related to Windows NT networking concepts.
A Domain Controller is an SMB/CIFS server that:
</para>
<itemizedlist>
<listitem><para>
Advertises and registers itself as a Domain Controller (Through NetBIOS broadcasts
as well as by way of name registrations either by Mailslot Broadcasts over UDP broadcast,
to a WINS server over UDP unicast, or via DNS and Active Directory)
</para></listitem>
<listitem><para>
Provides the NETLOGON service (actually a collection of services that runs over
a number of protocols. These include the LanMan Logon service, the Netlogon service,
the Local Security Account service, and variations of them)
</para></listitem>
<listitem><para>
Provides a share called NETLOGON
</para></listitem>
</itemizedlist>
<para>
For samba to provide these is rather easy to configure. Each Samba Domain Controller must provide
the NETLOGON service which samba calls the <emphasis>domain logons</emphasis> functionality
(after the name of the parameter in the &smb.conf; file). Additionally, one (1) server in a Samba-3
Domain must advertise itself as the domain master browser. This causes the Primary Domain Controller
to claim domain specific NetBIOS name that identifies it as a domain master browser for its given
domain/workgroup. Local master browsers in the same domain/workgroup on broadcast-isolated subnets
then ask for a complete copy of the browse list for the whole wide area network. Browser clients
will then contact their local master browser, and will receive the domain-wide browse list,
instead of just the list for their broadcast-isolated subnet.
</para>
</sect2>
@ -371,7 +454,7 @@ Here is an example &smb.conf; for acting as a PDC:
; where is a user's home directory and where should it be mounted at?
<ulink url="smb.conf.5.html#LOGONDRIVE">logon drive</ulink> = H:
<ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u
<ulink url="smb.conf.5.html#LOGONHOME">logon home</ulink> = \\homeserver\%u\winprofile
; specify a generic logon script for all users
; this is a relative **DOS** path to the [netlogon] share
@ -398,6 +481,7 @@ of operation. The following parameters are the essentials alone:
<programlisting>
workgroup = NARNIA
domain logons = Yes
domain master = Yes
security = User
</programlisting>
@ -428,239 +512,63 @@ There are a couple of points to emphasize in the above configuration.
</para></listitem>
</itemizedlist>
<sect2>
<title>Machine Trust Accounts and Domain Membership</title>
<para>
A machine trust account is an account that is used to authenticate a client machine
(rather than a user) to the Domain Controller server. In Windows terminology,
this is known as a "Computer Account."</para>
<para>
The password of a machine trust account acts as the shared secret for
secure communication with the Domain Controller. This is a security
feature to prevent an unauthorized machine with the same NetBIOS name
from joining the domain and gaining access to domain user/group
accounts. Windows NT, 200x, XP Professional clients use machine trust
accounts, but Windows 9x / Me / XP Home clients do not. Hence, a
Windows 9x / Me / XP Home client is never a true member of a domain
because it does not possess a machine trust account, and thus has no
shared secret with the domain controller.
</para>
<para>A Windows NT4 PDC stores each machine trust account in the Windows
Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory,
the new repository for machine trust accounts.
</para>
<para>
A Samba PDC, however, stores each machine trust account in two parts,
as follows:
<itemizedlist>
<listitem><para>A Samba account, stored in the same location as user
LanMan and NT password hashes (currently <filename>smbpasswd</filename>).
The Samba account possesses and uses only the NT password hash.</para></listitem>
<listitem><para>A corresponding Unix account, typically stored in
<filename>/etc/passwd</filename>. (Future releases will alleviate the need to
create <filename>/etc/passwd</filename> entries.) </para></listitem>
</itemizedlist>
</para>
<para>
There are two ways to create machine trust accounts:
</para>
<itemizedlist>
<listitem><para> Manual creation. Both the Samba and corresponding
Unix account are created by hand.</para></listitem>
<listitem><para> "On-the-fly" creation. The Samba machine trust
account is automatically created by Samba at the time the client
is joined to the domain. (For security, this is the
recommended method.) The corresponding Unix account may be
created automatically or manually. </para>
</listitem>
</itemizedlist>
<sect3>
<title>Manual Creation of Machine Trust Accounts</title>
<para>
The first step in manually creating a machine trust account is to
manually create the corresponding Unix account in
<filename>/etc/passwd</filename>. This can be done using
<command>vipw</command> or other 'add user' command that is normally
used to create new Unix accounts. The following is an example for a
Linux based Samba server:
</para>
<para>
<prompt>root# </prompt><command>/usr/sbin/useradd -g 100 -d /dev/null -c <replaceable>"machine
nickname"</replaceable> -s /bin/false <replaceable>machine_name</replaceable>$ </command>
</para>
<para>
<prompt>root# </prompt><command>passwd -l <replaceable>machine_name</replaceable>$</command>
</para>
<para>On *BSD systems, this can be done using the 'chpass' utility:</para>
<para>
<prompt>root# </prompt><command>chpass -a "<replaceable>machine_name</replaceable>$:*:101:100::0:0:Workstation <replaceable>machine_name</replaceable>:/dev/null:/sbin/nologin"</command>
</para>
<para>
The <filename>/etc/passwd</filename> entry will list the machine name
with a "$" appended, won't have a password, will have a null shell and no
home directory. For example a machine named 'doppy' would have an
<filename>/etc/passwd</filename> entry like this:
</para>
<para><programlisting>
doppy$:x:505:501:<replaceable>machine_nickname</replaceable>:/dev/null:/bin/false
</programlisting></para>
<para>
Above, <replaceable>machine_nickname</replaceable> can be any
descriptive name for the client, i.e., BasementComputer.
<replaceable>machine_name</replaceable> absolutely must be the NetBIOS
name of the client to be joined to the domain. The "$" must be
appended to the NetBIOS name of the client or Samba will not recognize
this as a machine trust account.
</para>
<para>
Now that the corresponding Unix account has been created, the next step is to create
the Samba account for the client containing the well-known initial
machine trust account password. This can be done using the <ulink
url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> command
as shown here:
</para>
<para>
<prompt>root# </prompt><userinput>smbpasswd -a -m <replaceable>machine_name</replaceable></userinput>
</para>
<para>
where <replaceable>machine_name</replaceable> is the machine's NetBIOS
name. The RID of the new machine account is generated from the UID of
the corresponding Unix account.
</para>
<warning>
<title>Join the client to the domain immediately</title>
<para>
Manually creating a machine trust account using this method is the
equivalent of creating a machine trust account on a Windows NT PDC using
the "Server Manager". From the time at which the account is created
to the time which the client joins the domain and changes the password,
your domain is vulnerable to an intruder joining your domain using
a machine with the same NetBIOS name. A PDC inherently trusts
members of the domain and will serve out a large degree of user
information to such clients. You have been warned!
</para>
</warning>
</sect3>
<sect3>
<title>"On-the-Fly" Creation of Machine Trust Accounts</title>
<para>
The second (and recommended) way of creating machine trust accounts is
simply to allow the Samba server to create them as needed when the client
is joined to the domain. </para>
<para>Since each Samba machine trust account requires a corresponding
Unix account, a method for automatically creating the
Unix account is usually supplied; this requires configuration of the
<ulink url="smb.conf.5.html#ADDMACHINESCRIPT">add machine script</ulink>
option in <filename>smb.conf</filename>. This
method is not required, however; corresponding Unix accounts may also
be created manually.
</para>
<para>
Below is an example for a RedHat Linux system.
</para>
<para><programlisting>
[global]
# &lt;...remainder of parameters...&gt;
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
</programlisting></para>
</sect3>
<sect3><title>Joining the Client to the Domain</title>
<para>
The procedure for joining a client to the domain varies with the version of Windows.
</para>
<itemizedlist>
<listitem><para><emphasis>Windows 2000</emphasis></para>
<para>
When the user elects to join the client to a domain, Windows prompts for
an account and password that is privileged to join the domain. A Samba administrative
account (i.e., a Samba account that has root privileges on the Samba server) must be
entered here; the operation will fail if an ordinary user account is given.
The password for this account should be set to a different password than the associated
<filename>/etc/passwd</filename> entry, for security reasons.
</para>
<para>
The session key of the Samba administrative account acts as an
encryption key for setting the password of the machine trust
account. The machine trust account will be created on-the-fly, or
updated if it already exists.
</para>
</listitem>
<listitem><para><emphasis>Windows NT</emphasis></para>
<para> If the machine trust account was created manually, on the
Identification Changes menu enter the domain name, but do not
check the box "Create a Computer Account in the Domain." In this case,
the existing machine trust account is used to join the machine to
the domain.</para>
<para> If the machine trust account is to be created
on-the-fly, on the Identification Changes menu enter the domain
name, and check the box "Create a Computer Account in the Domain." In
this case, joining the domain proceeds as above for Windows 2000
(i.e., you must supply a Samba administrative account when
prompted).</para>
</listitem>
<listitem><para><emphasis>Samba</emphasis></para>
<para>Joining a samba client to a domain is documented in
the <link linkend="domain-member">Domain Member</link> chapter.
</para></listitem>
</itemizedlist>
</sect3>
</sect2>
</sect1>
<sect1>
<title>Samba ADS Domain Control</title>
<para>
Not yet Freddie!
Samba-3 can behave and appear to MS Windows 200x and XP clients as an Active Directory Server.
To do this, Configure samba as a Primary Domain Controller, use LDAP as the passdb backend,
and configure Kerberos5. The problem with doing this is that samba-3 is NOT, despite this
configuration, and Active Directory server and does NOT yet fully support all protocols needed
to make this a possibility.
</para>
<para>
The best advice we can give at this time is - DO NOT DO THIS yet as it is NOT ready for
production deployment.
</para>
</sect1>
<sect1>
<title>Domain Control for Windows 9x/ME</title>
<title>Domain and Network Logon Configuration</title>
<para>
The subject of Network or Domain Logons is discussed here because it rightly forms
an integral part of the essential functionality that is provided by a Domain Controller.
</para>
<sect2>
<title>Domain Network Logon Service</title>
<para>
All Domain Controllers must run the netlogon service (<emphasis>domain logons</emphasis>
in Samba. One Domain Controller must be configured with <emphasis>domain master = Yes</emphasis>
(the Primary Domain Controller), on ALL Backup Domain Controllers <emphasis>domain master = No</emphasis>
must be set.
</para>
<title>Example Configuration</title>
<programlisting>
<title> A minimal configuration to support Domain Logons</title>
<para>
[globals]
domain logons = Yes
domain master = (Yes on PDC, No on BDCs)
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
</para>
</programlisting>
<sect3>
<title>The Special Case of Windows 9x / Me / XP Home</title>
<para>
A domain and a workgroup are exactly the same thing in terms of network
@ -686,7 +594,6 @@ profiles for MS Windows for workgroups and MS Windows 9X/ME clients
which are the focus of this section.
</para>
<para>
When an SMB client in a domain wishes to logon it broadcast requests for a
logon server. The first one to reply gets the job, and validates its
@ -698,13 +605,17 @@ demonstrates how authentication is quite different from but closely
involved with domains.
</para>
<para>
Using these features you can make your clients verify their logon via
the Samba server; make clients run a batch file when they logon to
the network and download their preferences, desktop and start menu.
</para>
<para><emphasis>
MS Windows XP Home edition is NOT able to join a domain and does not permit
the use of domain logons.
</emphasis></para>
<para>
Before launching into the configuration instructions, it is
worthwhile to look at how a Windows 9x/ME client performs a logon:
@ -757,7 +668,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
<para>
The client then connects to the user's home share and searches for the
user's profile. As it turns out, you can specify the user's home share as
a sharename and path. For example, \\server\fred\.profile.
a sharename and path. For example, \\server\fred\.winprofile.
If the profiles are found, they are implemented.
</para>
</listitem>
@ -771,32 +682,29 @@ worthwhile to look at how a Windows 9x/ME client performs a logon:
</listitem>
</orderedlist>
<sect2>
<title>Configuring Network Logon Capability</title>
<para>
The main difference between a PDC and a Windows 9x logon server configuration is that
</para>
<itemizedlist>
<listitem><para>
Password encryption is not required for a Windows 9x logon server.
</para></listitem>
<listitem><para>
Windows 9x/ME clients do not possess machine trust accounts.
</para></listitem>
Password encryption is not required for a Windows 9x logon server.
</para></listitem>
<listitem><para>
Windows 9x/ME clients do not possess machine trust accounts.
</para></listitem>
</itemizedlist>
<para>
Therefore, a Samba PDC will also act as a Windows 9x logon server.
A Samba PDC will also act as a Windows 9x logon server.
</para>
<warning>
<title>security mode and master browsers</title>
</sect3>
</sect2>
<sect2>
<title>Security Mode and Master Browsers</title>
<para>
There are a few comments to make in order to tie up some
@ -836,9 +744,9 @@ has a domain controller, right?)
Therefore configuring a Samba box as a DC for a domain that
already by definition has a PDC is asking for trouble.
Therefore, you should always configure the Samba DC to be the DMB
for its domain.
for its domain and set <emphasis>security = user</emphasis>. This is the only
officially supported mode of operation.
</para>
</warning>
</sect2>

25
docs/docbook/projdoc/ServerType.xml
View File

@ -12,7 +12,7 @@ This chapter provides information regarding the types of server that Samba may b
configured to be. A Microsoft network administrator who wishes to migrate to or to
use Samba will want to know what within a Samba context, terms familiar to MS Windows
adminstrator mean. This means that it is essential also to define how critical security
contexts function BEFORE we get into the details of how to configure the server itself.
modes function BEFORE we get into the details of how to configure the server itself.
</para>
<para>
@ -27,7 +27,7 @@ features and benefits. These may be for or against Samba.
</para>
<sect1>
<title>Samba Features and Benefits</title>
<title>Features and Benefits</title>
<para>
Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It
@ -131,6 +131,17 @@ mode as well as how to configure MS Windows clients for each mode will significa
reduce user complaints and administrator heartache.
</para>
<para>
There are in the SMB/CIFS networking world only two types of security: <emphasis>USER Level</emphasis>
and <emphasis>SHARE Level</emphasis>. We refer to these collectively as <emphasis>security levels</emphasis>. In implementing these two <emphasis>security levels</emphasis> samba provides flexibilities
that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of fice (5)
ways that allow the security levels to be implemented. In actual fact, Samba implements
<emphasis>SHARE Levl</emphasis> security only one way, but has for ways of implementing
<emphasis>USER Level</emphasis> security. Collectively, we call the samba implementations
<emphasis>Security Modes</emphasis>. These are: <emphasis>SHARE, USER, DOMAIN, ADS, and SERVER</emphasis>
modes. They are documented in this chapter.
</para>
<para>
A SMB server tells the client at startup what <emphasis>security level</emphasis>
it is running. There are two options <emphasis>share level</emphasis> and
@ -244,7 +255,7 @@ with share mode security servers. You are strongly discouraged from use of this
</sect2>
<sect2>
<title>Domain Level Security</title>
<title>Domain Security Mode (User Level Security)</title>
<para>
When samba is operating in <emphasis>security = domain</emphasis> mode this means that
@ -313,12 +324,12 @@ in this HOWTO collection.
</sect2>
<sect2>
<title>ADS Level Security</title>
<title>ADS Security Mode (User Level Security)</title>
<para>
Samba-2.2.x could join and Active Directory domain so long as the Active Directory domain
controller is configured for mixed mode operation, and is running NetBIOS over TCP/IP. MS
Windows 2000 and later can be configured to run without NEtBIOS over TCP/IP, instead it
Windows 2000 and later can be configured to run without NetBIOS over TCP/IP, instead it
can run SMB natively over TCP/IP.
</para>
@ -334,7 +345,7 @@ to be a native Active Directory member server.
<para>
<programlisting>
realm = your.kerberos.realm
realm = your.kerberos.REALM
security = ADS
encrypt passwords = Yes
@ -353,7 +364,7 @@ regarding this configuration option.
</sect2>
<sect2>
<title>Server Level Security</title>
<title>Server Security (User Level Security)</title>
<para>
Server level security is a left over from the time when Samba was not capable of acting

2
docs/docbook/projdoc/samba-doc.xml
View File

@ -27,7 +27,7 @@ The most recent version of this document can be found at
<ulink url="http://www.samba.org/">http://www.samba.org/</ulink>
on the "Documentation" page. Please send updates to
<ulink url="mailto:jelmer@samba.org">Jelmer Vernooij</ulink>,
<ulink url="mailto:jht@samba.org">John Terpstra</ulink> or
<ulink url="mailto:jht@samba.org">John H Terpstra</ulink> or
<ulink url="mailto:jerry@samba.org">Gerald (Jerry) Carter</ulink>.
</para>