sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-04 05:18:06 +03:00
Code
d93d218c6d
samba-mirror/docs/docbook/samba-pdc-howto.sgml
David Bannon 6f044d9c47 First Release of the DocBook 'source'. 
(This used to be commit 6cb727c033)
2000-11-28 23:35:03 +00:00

767 lines
31 KiB
Plaintext
Raw Blame History

<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<book id="samba-pdc-howto">
<title>The Samba 2.2 PDC HowTo </title>
<!-- ========================================================
To produce html from this file
jade -E10 -t sgml -d html.dsl ntdom.sgml
This assumes that html.dsl is present in the current dir, it includes
a couple of defines and then refers to the DSSSL html stylesheet.
=========================================================== -->
<bookinfo>
<author><firstname>David</><surname>Bannon</>
<affiliation><orgname>La Trobe University</orgname></affiliation>
</author>
<pubdate>November 2000</pubdate>
</bookinfo>
<dedication><title></title>
<para>Comments, corrections and additions to <email>D.Bannon@latrobe.edu.au</email></para>
<para>
This document explains how to setup Samba as a Primary Domain Controller and
applies to version 2.2.0.
Before
using these functions make sure you understand what the controller can and cannot do.
Please read the sections below in the Introduction.
As 2.2.0 is incrementally updated
this document will change or become out of date very quickly, make sure you are
reading the most current version.
</para>
<para>Please note this document does not apply to Samba2.2alpha0, Samba2.2alpha1,
Samba 2.0.7, TNG nor HEAD branch.</para>
<para>It does apply to the current (post November 27th) cvs.</para>
<para>
Also available is an updated version of Jerry Carter's NTDom <ulink url="samba-pdc-faq.html">
FAQ</> that will answer lots of
the special 'tuning' questions that are not covered here. Over the next couple of weeks
some of the items here will be moved to the FAQ.
</para>
</dedication>
<toc> </toc>
<!-- ================ I N T R O D U C T I O N ==================== -->
<chapter><title>Introduction</title>
<para>
This document will show you one way of making Version 2.2.0
of Samba perform some of the tasks of a
NT Primary Domain Controller. The facilities described are built into Samba as a result of
development work done over a number of years by a large number of people. These facilities
are only just beginning to be officially supported and although they do appear to work reliably,
if you use them then you take the risks upon your self. This document does not cover the
developmental versions of Samba, particularly
<ulink url="http://www.samba-tng.org/"><citetitle>Samba-TNG</citetitle></ulink>
</para>
<para>Note that <ulink url="http://bioserve.latrobe.edu.au/samba">Samba 2.0.7</>
supports significently less of the NT Domain facilities compared with 2.2.0
</para>
<para>
This document does not replace the text files DOMAIN_CONTROL.txt, DOMAIN.txt (by
John H Terpstra) or NTDOMAIN.txt (by Luke Kenneth Casson Leighton). Those documents provide
more detail and an insight to the development
cycle and should be considered 'further reading'.
</para>
<sect1><title>What can we do ?</title>
<itemizedlist>
<listitem><para>Permit 'domain logons' for Win95/98, NT4 and W2K workstations from one central
password database. WRT W2K, please see the section about adding machine
accounts and the Intro in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></listitem>
<listitem><para>Grant Administrator privileges to particular domain users on an
NT or W2K workstation.</para></listitem>
<listitem><para>Apply policies from a domain policy file to NT and W2K (?)
workstation.</para></listitem>
<listitem><para>Run the appropriate logon script when a user logs on to the domain
.</para></listitem>
<listitem><para>Maintain a user's local profile on the server.</para></listitem>
<listitem><para>Validate a user using another system via smb (such as smb_pam) and
soon winbind (?).</para></listitem>
</itemizedlist>
</sect1>
<sect1><title>What can't we do ?</title>
<itemizedlist>
<listitem><para> Become or work with a Backup Domain Controller (a BDC).</para></listitem>
<listitem><para> Participate in any sort of trust relationship (with either Samba or NT
Servers).</para></listitem>
<listitem><para> Offer a list of domain users to User Manager for Domains
on the Security Tab etc).</para></listitem>
<listitem><para>Be a W2K type of Domain Controller. Samba PDC will behave like
an NT PDC, W2K workstations connect in legacy mode.</para></listitem>
</itemizedlist>
</sect1>
</chapter>
<!-- ================== I N S T A L L I N G ===================== -->
<chapter><title>Installing</title>
<para>Installing consists of the usual download, configure, make and make
install process. These steps are well documented elsewhere.
The <ulink url="samba-pdc-faq.html">FAQ</> discusses getting pre-release versions via CVS.
Then you need to configure the server.</para>
<sect1><title>Start Up Script</title>
<para>Skip this section if you have a working Samba already.
Everyone has their own favourite startup script. Here is mine, offered with no warrantee
at all !</para>
<programlisting>
#!/bin/sh
# Script to control Samba server, David Bannon, 14-6-96
#
#
PATH=/bin:/usr/sbin:/usr/bin
export PATH
case "$1" in
'start')
if [ -f /usr/local/samba/bin/smbd ]
then
/usr/local/samba/bin/smbd -D
/usr/local/samba/bin/nmbd -D
echo "Starting Samba Server"
fi
;;
'conf')
if [ -f /usr/local/samba/lib/smb.conf ]
then
vi /usr/local/samba/lib/smb.conf
fi
;;
'pw')
if [ -f /usr/local/samba/private/smbpasswd ]
then
vi /usr/local/samba/private/smbpasswd
fi
;;
'who')
/usr/local/samba/bin/smbstatus -b
;;
'restart')
psline=`/bin/ps x | grep smbd | grep -v grep`
if [ "$psline" != "" ]
then
while [ "$psline" != "" ]
do
psline=`/bin/ps x | fgrep smbd | grep -v grep`
if [ "$psline" ]
then
set -- $psline
pid=$1
/bin/kill -HUP $pid
echo "Stopped $pid line = $psline"
sleep 2
fi
done
fi
echo "Stopped Samba servers"
;;
'stop')
psline=`/bin/ps x | grep smbd | grep -v grep`
if [ "$psline" != "" ]
then
while [ "$psline" != "" ]
do
psline=`/bin/ps x | fgrep smbd | grep -v grep`
if [ "$psline" ]
then
set -- $psline
pid=$1
/bin/kill -9 $pid
echo "Stopped $pid line = $psline"
sleep 2
fi
done
fi
echo "Stopped Samba servers"
psline=`/bin/ps x | grep nmbd | grep -v grep`
if [ "$psline" ]
then
set -- $psline
pid=$1
/bin/kill -9 $pid
echo "Stopped Name Server "
fi
echo "Stopped Name Servers"
;;
*)
echo "usage: samba {start | restart |stop | conf | pw | who}"
;;
esac
</programlisting>
<para> Use this script, or some other one, you will need to ensure its used while the machine
is booting. (This typically involves <filename>/etc/rc.d</filename>, we'll be
assuming that there is a script called
samba in <filename>/etc/rc.d/init.d</filename> further down in this document.)
</para>
</sect1>
<sect1><title>Config File</title>
<sect2><title id=configfile>A sample conf file</title>
<para>Here is a fairly minimal config file to do PDC. It will also make the server
become the browse master for the
specified domain (not necessary but usually desirable). You will need to change only
two parameters to make this
file work, <filename>wins server</filename> and <filename>workgroup</filename>, plus
you will need to put your own name (not mine!) in the <filename>domain admin users</> fields.
Some of the parameters are discussed further down this document.</para>
<para>Assuming you have used the default install directories, this file should appear as
<filename>/usr/local/samba/lib/smb.conf</filename>. It should not be
writable by anyone except root.</para>
<note><para>The 'add user script' parameter is a work-around, watch for changes !</></>
<programlisting>
[global]
security = user
status = yes
workgroup = { Your domain name here }
wins server = { ip of a wins server if you have one }
encrypt passwords = yes
domain logons =yes
logon script = scripts\%U.bat
domain admin users = root dbannon andrew
add user script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
guest account = ftp
share modes=no
os level=65
[homes]
guest ok = no
read only = no
create mask = 0700
directory mask = 0700
oplocks = false
locking = no
[netlogon]
path = /usr/local/samba/netlogon
writeable = no
guest ok = no
</programlisting>
</sect2>
<sect2><title>PDC Config Parameters</title>
<variablelist><title>There are a huge range of parameters that may appear in a smb.conf file. Some
that may be of interest to a PDC are :</title>
<varlistentry><term>add user script</term>
<listitem><para>This parameter specifies a script (or program) that will be run
to add a user to the system. Here it is being used to add a machine, not a user.
This is probably not very nice and may change. But it does work !</para>
<para>For this example, I have a group called 'machines', entries can be added to
<filename>/etc/passwd</> using a programme called <filename>/usr/adduser</> and
the other parameters are chosen as suitable for a machine account. Works for
RH Linux, your system may require changes.</para>
</listitem>
</varlistentry>
<varlistentry><term>domain admin users = user1 users2</term>
<listitem><para>This parameter specifies a unix user who will be granted admin privileges
on a NT workstation when
logged onto that workstation. See the section called <link linkend=domainadmin>
Domain Admin</> Accounts.</para>
</listitem>
</varlistentry>
<varlistentry><term>encrypt passwords = yes</term>
<listitem><para>This parameter must be 'yes' to allow any of the recent service pack NTs to logon. There are some reg hacks that
turn off encrypted passwords on the NTws itself but if you are going to use the smbpasswd system (and you
should) you must use encrypted passwords.</para>
</listitem>
</varlistentry>
<varlistentry><term>logon script = scripts\%U.bat</term>
<listitem><para>This will make samba look for a logon script named after the user
(eg joeblow.bat).
See the section further on called <link linkend=logonscript>Logon Scripts</></para>
<note><para>Note that the slash is like this '\', not like this '/'.
NT is happy with both, win95 is not !</para></note>
</listitem>
</varlistentry>
<varlistentry><term>logon path</term>
<listitem><para>Lets you specify where you would like users profiles kept. The default, that is in the users
home directory, does encourage a bit of fiddling.</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>
<sect1><title>Special directories</title>
<para>You need to create a couple of special files and directories. Its nice
to have some of the binaries handy too, so I create links to them. Assuming
you have used the default samba location and have not
changed the locations mentioned in the sample config file, do the following :</para>
<programlisting>
mkdir /usr/local/samba/netlogon
mkdir /usr/local/samba/netlogon/scripts
mkdir /usr/local/samba/private
touch /usr/local/samba/private/smbpasswd
chmod go-rwx /usr/local/samba/private/smbpasswd
cd /usr/local/sbin
ln -s /usr/local/samba/bin/smbpasswd
ln -s /usr/local/samba/bin/smbclient
ln -s /etc/rc.d/init.d/samba
</programlisting>
<para>Make sure permissions are appropriate !</para>
<para>OK, if you have used the scripts above and have a path to where the links are do this to start up
the Samba Server :</para>
<para><command>samba start</command></para>
<para>Instead, you might like to reboot the machine to make sure that you
got the init stuff right. Any way, a quick look in the logs
<filename>/usr/local/samba/var/log.smbd</filename> and <filename>
/usr/local/samba/var/log/nmbd</filename>
will give you an idea of what's happening. Assuming all is well, lets create
some accounts...</para>
</sect1>
</chapter>
<!-- ================== U S E R and M A C H I N E A C C O U N T S ================ -->
<chapter><title>User and Machine Accounts</title>
<sect1><title>Logon Accounts</title>
<para><emphasis role=bold>This section is very nearly out of date already !</emphasis> It
appears that while you are reading it, Jean Francois Micou is making it
redundant ! Jean Francois is adding facilities to add users
(via User Manager) and machines (when joining the domain) and it looks like these facilities will
make it into the official release of 2.2.</para>
<para>Every user and NTws (and other samba servers) that will be on the domain
must have its own passwd entry in both <filename>/etc/passwd</filename> and
<filename>/usr/local/samba/private/smbpasswd</filename> .
The <filename>/etc/passwd</filename> entry is really
only to reserve a user ID. The NT encrypted password is stored in
<filename>/usr/local/samba/private/smbpasswd</filename>.
(Note that win95/98 machines don't need an account as they don't do
any security aware things.)</para>
<para>Samba 2.2 will now create these entries for us. Carefull set up is required
and there may well be some changes to this system before its released.
</para>
</sect1>
<sect1 id=machineaccount><title>Machine Accounts</title>
<note><para>There is an entry in the ntdom <ulink url="samba-pdc-faq.html">FAQ</> explaining how to create
machine entries manually.</para></note>
<variablelist><title><emphasis>At present</> to have the machine accounts created when a machine joins
the domain a number of conditions must be met :</title>
<varlistentry><term>Only root can do it !</term>
<listitem><para>There must be an entry in <filename>/usr/local/samba/private/smbpasswd</filename>
for root and root must be mentioned in <filename>domain admins</filename>. This may
be fixed some time in the future so any 'domain admin' can do it. If you don't
like having root as a windows logon account, make the machine
entries manually (both of them).</para>
</listitem>
</varlistentry>
<varlistentry><term>Use the <filename>add user script</></term>
<listitem><para>Again, this looks a bit like a 'work around'. Use a suitable
command line to add a machine account <link linkend=configfile>see above</link>,
and pass it %m$, that is %m to get machine name plus the '$'. Now, this
means you cannot use the <filename>add user script</> to really add users .... </para>
</listitem>
</varlistentry>
<varlistentry><term>Only for W2K</term>
<listitem><para>This automatic creation of machine accounts does not work for
NT4ws at present. Watch this space.</para></listitem></varlistentry>
</variablelist>
</sect1>
<sect1><title>Joining the Domain</title>
<para>You must have either added the machine account entries manually (NT4 ws)
or set up the automatic system (W2K), <link linkend=machineaccount>see Machine Accounts</link>
before proceeding.</para>
<variablelist>
<varlistentry><term><command>Windows NT</></term><listitem>
<itemizedlist>
<listitem><para> (<emphasis>this step may not be necessary some time in the near future</>).
On the samba server that is the PDC, add a machine account manually
as per the instructions in the <ulink url="samba-pdc-faq.html">FAQ</>
Then give the command <command>smbpasswd -a -m {machine}</> substituting in the
client machine name.</para></listitem>
<listitem><para> Logon to the NTws in question as a local admin, go to the
<command>Control Panel, Network IdentificationTag</command>.</para></listitem>
<listitem><para> Press the <command>Change</> button.</para></listitem>
<listitem><para> Enter the Domain name (from the 'Workgroup' parameter, smb.conf)
in the Domain Field.</para></listitem>
<!-- <listitem><para> Now enter a user name
and password for a Domain Admin <emphasis>(Who must be root
until a pre-release bug is fixed)</emphasis> and press
'OK'.</para></listitem> -->
<listitem><para> Press OK and after a few seconds you will get a 'Welcome to Whatever Domain'.
Allow to reboot.</para></listitem>
</itemizedlist>
</listitem></varlistentry>
<varlistentry><term><command>Windows 2000</></term><listitem>
<itemizedlist>
<listitem><para>Logon to the W2k machine as Administrator, go to the Control
Panel and double click on <command>Network and Dialup Connections</>.
</para></listitem>
<listitem><para>Pull down the <command>Advanced</> menu and choose
<command>Network Identification</>. Press <command>Properties
</>. </para></listitem>
<listitem><para>Choose <command>Domain</> and enter the domain name. Press 'OK'.</para></listitem>
<listitem><para>Now enter a user name and password for a Domain Admin
<emphasis>(Who must be root until a pre-release bug is fixed)</emphasis> and press
'OK'.</para></listitem>
<listitem><para>Wait for the confirmation, reboot when prompted.</para></listitem>
</itemizedlist>
<para>To remove a W2K machine from the domain, follow the first two steps then
choose <command>Workgroup</>, enter a work group name (or just WORKGROUP) and follow
the prompts.</para>
</listitem></varlistentry>
</variablelist>
</sect1>
<sect1><title id=useraccount>User Accounts</title>
<para><emphasis>Again, doing it manually (cos' the auto way is not working pre-release).
</emphasis>
In our simple case every domain user should have an account on the PDC. The
account may have a null shell if they are not allowed to log on to the unix
prompt. Again they need an entry in both the <filename>/etc/passwd</filename> and
<filename>/usr/local/samba/private/smbpasswd</filename>. Again a password is
not necessary in <filename>/etc/passwd</filename> but the location
of the home directory is honoured.
To make an entry for a user called Joe Blow you would typically do the following :</para>
<para><command>adduser -g users -c 'Joe Blow' -s /bin/false -n joeblow</command></para>
<para><command>smbpasswd -a joeblow</command></para>
<para>And you will prompted to enter a password for Joe. Ideally he will be
hovering over your shoulder and will, when asked, type in a password of
his choice. There are a number of scripts and systems to ease the migration of users
from somewhere to samba. Better start looking !</para>
</sect1>
<sect1><title id=domainadmin>Domain Admin Accounts</title>
<para>Certain operations demand that the logged on user has Administrator
privileges, typically installing software and
doing maintenance tasks. It is very simple to appoint some users as Domain Admins,
most likely yourself. Make
sure you trust the appointee !</para>
<para>Samba 2.2 recognizes particular users as being
domain admins and tells the NTws when it thinks that it has got one logged on.
In the smb.conf file we declare
that the <filename>Domain Admin users = user1 user2</filename>.
Any user mentioned here will be treated as a Domain Admin by a NTws when
logged onto the Domain. They will have full Administrator rights
including the rights to change permissions on files and run the system
utilities such as Disk Administrator.</para>
<para>Further, and this is very new, they will be allowed to create a
new machine account when first connecting a new NT or W2K machine to
the domain. <emphasis>At present, ie pre-release, only a Domain Admin who
also happens to be root can do so. </emphasis></para>
</sect1>
</chapter>
<!-- ======== P R O F I L E S P O L I C I E S and L O G O N S C R I P T S ======= -->
<chapter><title>Profiles, Policies and Logon Scripts</title>
<sect1><title>Profiles</title>
<para>NT Profiles should work if you have followed the setup so far.
A user's profile contains a whole lot of their personal settings,
the contents of their desktop, personal 'My Documents' and so on.
When they log off, all of the profile is copied to their directory
on the server and is downloaded again when they logon on again, possibly
on another client machine.</para>
<para>Sounds great but can be a bit of a bug bear sometimes. Users let
their profiles get too big and then complain about how long it takes
to log on each time. This sample setup only supports NT profiles,
rumor has it that it is also possible to do the same on Win95, my
users don't know and I'm not telling them.</para>
<note><para>There is more info about Profiles (including for W95/98)
in the <ulink url="samba-pdc-faq.html">FAQ</>.</para></note>
</sect1>
<sect1><title>Policies</title>
<para>Policies are an easy way to make or enforce specific characteristics across your network. You create a ntconfig.pol
file and every time someone logs on with their NTws, the settings you put in ntconfig.pol are applied to the NTws.
Typical setting are things like making the date appear the way you want it (none of these 2 figure years here) or
maybe suppressing one of the splash screens. Perhaps you want to set the NTws so it does not keep users profiles
on the local machine. Cool. The only problem is making the ntconfig.pol file itself. You cannot use the policy editor
that comes with NTws.</para>
<note><para>See the <ulink url="samba-pdc-faq.html">FAQ</> for pointers on how to get a suitable Policy Editor.</para></note>
<para>The Policy Editor (and associated files) will create a
<filename>ntconfig.pol</filename> file using the
parameters Microsoft thought of and parameters you specify by making your own
template file.</para>
<para>In our example configuration here, Samba will expect to find
the <filename>ntconfig.pol</filename> file in
<filename>/usr/local/samba/netlogon</filename>. Needless to say (I hope !),
it is vitally important that ordinary users don't have
write permission to the Policy files.</para>
</sect1>
<sect1><title id=logonscript>Logon Scripts</title>
<para>In the sample config file above there is a line
<filename>logon script = scripts\%U.bat</filename></para>
<note><para>Note that the slash is like this '\' not like this '/'.
NT is happy with both, win95 is not !</para></note>
<para>This allows you to run a dos batch file every time someone logs on. The batch
file is located on the server, in the sample install mentioned here,
its in <filename>/usr/local/samba/netlogon/scripts</filename> and
is named after the user with <filename>.bat</filename> appended, eg Joe
Blow's script is called <filename>/usr/local/samba/netlogon/scripts/joeblow.bat</filename>.</para>
<note><para>There is a suggestion that user names longer than 8 characters may cause
problems with some systems being unable to run logon scripts. This is confirmed in earlier
versions when connecting using W95, comments about other combinations ??</para></note>
<para>You could use a line like this <filename>logon script = default.bat</> and samba
will supply <filename>/usr/local/samba/netlogon/default.bat</> for any client and every
user. Maybe you could use %m and get a client machine dependant logon script.
You get the idea...</para>
<para>Note that the file is a dos batch file not a Unix script. It runs dos commands on the client
computer with the logon user's permissions. It must be a dos file with each line ending with
the dos cr/lf not a nice clean newline. Generally,
its best to create the initial file on a DOS system and copy it across.</para>
<para>There is lots of very clever uses of the Samba replaceable variables such
( %U = user, %G = primary group, %H = client machine, see the 'man 5 smb.conf') to
give you control over which script runs when a particular person logs
on. (Gee, it would be nice to have a default.bat run when nothing else is available.)</para>
<para>Again, it is vitally important that ordinary users don't have write
permission to other peoples, or even probably their own, logon script files.</para>
<para>A typical logon script is reproduced below. Note that it runs separate
commands for win95 and NT, that's because NT has slightly different behaviour
when using the <filename>net use ..</filename> command. Its useful for lots of
other situations too. I don't know what syntax to use for win98, I don't use it
here.</para>
<programlisting>
rem Default logon script, create links to this file.
net time \\bioserve /set /yes
@echo off
if %OS%.==Windows_NT. goto WinNT
:Win95
net use k: \\trillion\bio_prog
net use p: \\bcfile\homes
goto end
:WinNT
net use k: \\trillion\bio_prog /persistent:no
net use p: \\bcfile\homes /persistent:no
:end
</programlisting>
</sect1>
</chapter>
<chapter><title>Passwords and Authentication</title>
<para>So far our configuration assumes that ordinary users don't have unix logon access. A change
to the <link linkend=useraccount><filename>adduser</></> line above would allow unix logon
but it would be with passwords that may
be different from the NT logon. Clearly that won't suit everyone. Trying to explain to users
that they need to change their passwords in two seperate places is not fun.
Further, even if they cannot do a unix logon there are other processes that
might require authentication. We have a nice securely encrypted password in
<filename>/usr/local/samba/private/smbpasswd</filename>, why not use it ?</para>
<sect1><title></>
<sect2><title>Syncing Passwords</title>
<para>Yes, its possible and seems the easiest way (initially anyway).
The <ulink url="samba-pdc-faq.html">FAQ</> details how to
do so in the sections <emphasis>What is password sync and should I use it ?</> and <emphasis>
How do I get remote password (unix and SMB) changing working ?</></para>
</sect2>
<sect2><title>Using PAM</title>
<para>Pam enabled systems have a much better solution available. The Samba
PDC server will offer to authenticate domain users to other processes
(either on this server or on the domain). With a suitable pam stack
such as <ulink url="http://www.csn.ul.ie/~airlied/pam_smb/"> Pam_smb</ulink>
you can get any pam aware application looking to the samba password and
can leave the password field in <filename>/etc/shadow</filename>
or <filename>/etc/passwd</filename> invalid.</para>
</sect2>
<sect2><title>Authenticating other Samba Servers</title>
<para>In a domain that has a number of servers you only need one password database.
The machines that don't have their own ask the PDC to check for them.
This will work fine for a domain controlled by either a Samba or NT machine.</para>
<para>To do so the Samba machine must be told to refer to the PDC and where the PDC is.
See the section in the NTDom <ulink url="samba-pdc-faq.html">FAQ</> called <emphasis>How do I get my samba server to
become a member ( not PDC ) of an NT domain?</></para>
</sect2>
</sect1>
</chapter>
<chapter><title>Background</title>
<sect1><title></title>
<sect2><title>History</title>
<para>It might help you understand the limitations of the PDC in Samba if you
read something of its history. Well, the history as I understand it anyway.</para>
<para>For many years the Samba team have been developing Samba, some time ago
a number of people, possibly lead by Luke Leighton started contributing NT
PDC stuff. This was added to the 'head' stream (that would eventually
become the next version) and later to a seperate stream (NTDom). They did so
much that eventually this development stream was so mutated that it could not
be merged back into the main stream and was abandoned towards the end of 1999.
And that was very sad because many users, myself include had become heavily
dependant on the NTController facilities it offered. Oh well...</para>
<para>The NTDom team continued on with their new found knowledge however and
built the TNG stream. Intended to be carefully controlled so that it can be
merged back into the main stream and benefiting from what they learnt, it is
a very different product to the origional NTDom product. However, for a
number of reasons, the merge did not take place and now TNG is being developed
at <ulink url="http://www.samba-tng.org">http://www.samba-tng.org</>.</para>
<para>Now, the NTDom things that the main strean 2.0.x version does is based more
on the old (initial version) abandoned code than on the TNG ideas. It appears
that version 2.2.0 will also include an improved version of the 2.0.7 domain
controller charactistics, not the TNG ways. The developers have indicated
that 2.2.0 will be further developed incrementally and the ideas from TNG
incorporated into it.</para>
<para>One more little wriggle is worth mentioning. At one stage the NTDom
stream was called Samba 2.1.0-prealpha and similar names. This is most
unfortunate because at least one book published advises people who want to
use NTDom Samba to get version 2.1.0 or later. As main stream Samba will soon
be called 2.2.0 and NOT officially supporting NTDom Controlling functions,
the potential for confusion is certainly there.</para>
</sect2>
<sect2><title>The Future</title>
<para>There is a document on the Samba mirrors called <emphasis>'Development'
</emphasis>. It offers the 'best guess' of what is planned for future releases
of Samba.</para>
<para>The future of Samba as a Primary Domain Controller appears rosie, however
be aware that its the future, not the present. The developers are strongly committed
to building a full featured PDC into Samba but it will take time. If this
version does not meet your requirements then you should consider (in no particular
order) :</para>
<itemizedlist>
<listitem><para> Wait. No, we don't know how long. Repeated asking won't help.</para></listitem>
<listitem><para>Investigate the development versions, TNG perhaps or HEAD where new code is being added
all the time. Realise that development code is often unstable, poorly documented and subject to change.
You will need to use cvs to download development versions.</para></listitem>
<listitem><para>Join one of the Samba mailing lists so that you can find out
what is happening on the 'bleeding edge'.</para></listitem>
</itemizedlist>
</sect2>
<sect2><title>Getting further help</title>
<para>This document cannot possibly answer all your questions. Please understand that its very
likely that someone has been confrounted by the same problem that you have. The
<ulink url="samba-pdc-faq.html">FAQ</>
discusses a number of possible paths to take to get further help :</para>
<itemizedlist>
<listitem><para>Documents on the Samba Sites.</para></listitem>
<listitem><para>Other web sites.</para></listitem>
<listitem><para>Mailing list.</para></listitem>
</itemizedlist>
<para>There is some discussion about guide lines for using the Mailing Lists on the
accompanying <ulink url="samba-pdc-faq.html">FAQ</>,
please read them before posting.</para>
</sect2>
</sect1>
</chapter>
</book>
View Git Blame Copy Permalink